[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Expansion of authz policy name leak (was: svn commit: r933194 - /subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c)

From: Peter Samuelson <peter_at_p12n.org>
Date: Mon, 12 Apr 2010 17:04:00 -0500

[C. Michael Pilato]
> IIUC, prior to your change, nobody who had enabled authz at all could
> make use of the SVNListParentPath feature (because the authorization
> for that display would systematically fail). But this also means
> that Subversion never leaked the name of a repository that was
> intended to be private/hidden from particular users. Now, we no
> longer suffer the blanket authz failure, but we are showing the name
> of every repository in the parent directory without regard to any
> authz rules whatsoever.

I have to admit, from my Unix background, this seems perfectly natural.
Unix has an inode-centric view of the filesystem, where a filename
really belongs to the directory it is in, more than to the file itself,
and permission to see the existence of the filename reflects this.

Would this be more surprising to people who don't hve a Unix
background, then? 'Surprising' is the key question - as with any
security choice, we want to do what the administrator will expect and
assume.

Peter
Received on 2010-04-13 00:04:31 CEST

This is an archived mail posted to the Subversion Dev mailing list.