RE: Expansion of authz policy name leak (was: svn commit: r933194 - /subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c)

From: Kamesh Jayachandran <kamesh_at_collab.net>
Date: Tue, 13 Apr 2010 00:35:11 +0530

>IIUC, prior to your change, nobody who had enabled authz at all could make
>use of the SVNListParentPath feature (because the authorization for that
>display would systematically fail). But this also means that Subversion
>never leaked the name of a repository that was intended to be private/hidden
>from particular users. Now, we no longer suffer the blanket authz failure,
>but we are showing the name of every repository in the parent directory
>without regard to any authz rules whatsoever.

Whoever wanted SVNListParentPath to work with authz prior to this commit was using a workaround of <Location /svn/> which was leaking the same info.

With regards
Kamesh Jayachandran
Received on 2010-04-12 21:07:41 CEST

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]