[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Possible security problem with svnsync?

From: Bob Archer <Bob.Archer_at_amsi.com>
Date: Wed, 12 May 2010 09:46:31 -0400

> I have a repository that is partially mirrored, using svnsync and
> mod_authz_svn [1]. I just realised that the administrator of the
> mirror server can bypass the authz rules I've set up on the master
> server. All he has to do is change the svn:sync-from-url property
> on the mirror repository to be a file:// URL to the source
> repository, rather than a http:// one. The correct file:// URL is
> probably guessable.

Well, this has nothing to do with svnsync then does it? If you expose the repository file system then yes anyone can access it bypassing the server. Even with svn.exe it can be done. you should use FS/Network permission so that your repositories are only available via your server (http or svn protocols).

Received on 2010-05-12 15:45:14 CEST

This is an archived mail posted to the Subversion Dev mailing list.