[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Issue(?) with mod_dav_svn and requiring access to $reporoot

From: Tony Stevenson <pctony_at_apache.org>
Date: Mon, 21 May 2012 22:00:00 +0100

So,

Earlier today I was asked to open a few children from a repo that is essentially close by default.
Some background information:

This setup allows commits only via an https vhost, ad this is working perfectly. The http vhost is configured to not allow read-only access to the entire repo (as is the case with the main ASF repo).
We are running apache httpd 2.2, and subversion 1.7 - from ubuntu apt repos.

REPOROOT = /x1/source.caret.cam.ac.uk/repos/svn
WEBROOT = http://source.caret.cam.ac.uk/svn/
PUBLICCHILD = http://source.caret.cam.ac.uk/svn/projects/talks.cam/

We do not want to make the webroot publicly readable, but we did want to make publicchild publicly readable. The only way I could make this happen, was to use the config below. Basically we had to allow "GET OPTIONS PROPFIND REPORT" for the WEBROOT. You can see, that we then do go on to explicitly deny all but a couple of options to prevent listing the entire repo.

With this it seems that dav_svn needs access to the root of the repo to be able to list contents of child folders.

If we take away "GET REPORT" from WEBROOT, and then goto PUBLIC child it will display an emtpy folder. But you can enter the name of a subfolder in the browser, and that will also open, again with no contents.

  ## For child objects to be able to be publicly readable, the root also needs to be readable.
  ## annoying but true.
  <Location /svn>
    DAV svn
    SVNPath /x1/source.caret.cam.ac.uk/repos/svn
    <LimitExcept GET OPTIONS PROPFIND REPORT>
      Order allow,deny
      Deny from all
    </LimitExcept>
    ErrorDocument 403 /forbidden.html
  </Location>

  ## This block will make sure that the contents of these directories cannot be enumerated publicly.
  ## Explicitly add directories/locations below to match against and allow access.
  <LocationMatch "^/svn/(attic|general|projects|users)">
    <LimitExcept PROPFIND OPTIONS>
      Order allow,deny
      deny from all
    </LimitExcept>
    ErrorDocument 403 /forbidden.html
  </LocationMatch>

  <Location /svn/projects/talks.cam>
    <LimitExcept OPTIONS PROPFIND GET REPORT>
       Order deny,allow
       deny from all
    </LimitExcept>
    Satisfy Any
    Allow from all
    ErrorDocument 403 /forbidden.html
  </Location>

-- 
Cheers,
Tony
---------------------------------------------------------------
Tony Stevenson
tony_at_pc-tony.com // pctony_at_apache.org // tony_at_caret.cam.ac.uk
GPG: 1024D/51047D66
http://blog.pc-tony.com
---------------------------------------------------------------

Received on 2012-05-21 23:00:07 CEST

This is an archived mail posted to the Subversion Dev mailing list.