Re: Expansion of authz policy name leak (was: svn commit: r933194 - /subversion/trunk/subversion/mod_authz_svn/mod_authz_svn.c)

[C. Michael Pilato]
> IIUC, prior to your change, nobody who had enabled authz at all could
> make use of the SVNListParentPath feature (because the authorization
> for that display would systematically fail). But this also means
> that Subversion never leaked the name of a repository that was
> intended to be private/hidden from particular users. Now, we no
> longer suffer the blanket authz failure, but we are showing the name
> of every repository in the parent directory without regard to any
> authz rules whatsoever.

I have to admit, from my Unix background, this seems perfectly natural.
Unix has an inode-centric view of the filesystem, where a filename
really belongs to the directory it is in, more than to the file itself,
and permission to see the existence of the filename reflects this.

Would this be more surprising to people who don't hve a Unix
background, then? 'Surprising' is the key question - as with any
security choice, we want to do what the administrator will expect and
assume.

Peter
Received on 2010-04-13 00:04:31 CEST