RE: Possible security problem with svnsync?

From: Bob Archer <Bob.Archer_at_amsi.com>
Date: Wed, 12 May 2010 09:46:31 -0400

> I have a repository that is partially mirrored, using svnsync and
> mod_authz_svn [1]. I just realised that the administrator of the
> mirror server can bypass the authz rules I've set up on the master
> server. All he has to do is change the svn:sync-from-url property
> on the mirror repository to be a file:// URL to the source
> repository, rather than a http:// one. The correct file:// URL is
> probably guessable.

Well, this has nothing to do with svnsync then does it? If you expose the repository file system then yes anyone can access it bypassing the server. Even with svn.exe it can be done. you should use FS/Network permission so that your repositories are only available via your server (http or svn protocols).

BOb
Received on 2010-05-12 15:45:14 CEST

This message: [ Message body ]
Next message: Jon Foster: "RE: Possible security problem with svnsync?"
Previous message: Daniel Näslund: "WC-NG: Perhaps it's time to write a new summary of where we stand at the moment?"
In reply to: Jon Foster: "Possible security problem with svnsync?"
Next in thread: Jon Foster: "RE: Possible security problem with svnsync?"
Reply: Jon Foster: "RE: Possible security problem with svnsync?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]