[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [BUG] Revprop edits are checked for read access.

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Thu, 19 Jul 2012 09:15:16 -0400

With respect, you are Just Plain Wrong(tm). :-)

The current behavior is by design. I know -- I helped to design it. Read
the authz_policy.txt.

   Users are allowed to attach arbitrary, unversioned properties to
   revisions. Additionally, most revisions also have "standard"
   revision props (revprops), such as svn:author, svn:date, and
   svn:log. Access to revprops may be restricted, based on
   readability of changed-paths.

"Based on the readability of changed-paths". We never consider the
writability of a revision's changed-paths. Ever.

In fact, there is no independent read and write access revision properties
at all. When it comes to revprops, if you can read it, you can write it.

To understand why, you have to understand why we bothered restricting read
access to svn:log at all. We only hide the svn:log property because we
reasoned that log messages generally refer to the paths modified in the
revision with which they are associated. You know the drill: you modify
path /foo/bar, and your log message says, "Changed the logic in /foo/bar to
be less fooful and more barful." So our thought was that if a person wasn't
allowed to read some path that was changed in a revision, they should also
not be able to know that path exists (because the path itself might contain
sensitive information[1]. If a person shouldn't know that some path
modified in revision R exists, we should then hide the log message for that
revision because there's a good chance that the log message refers to the
very path we're trying to hide.

But as you can see, none of this logic has anything to do with whether the
user has *write* access to the changed paths.

-- C-Mike

[1] There are, of course, places where we *had* to leak some unreadable
paths just to get Subversion to work at all. See ``6. KNOWN LEAKAGE OF
UNREADABLE PATHS'' in authz_policy.txt.

On 07/19/2012 09:02 AM, Kamesh Jayachandran wrote:
> This is a bug. This allows editing of log message as long as user has some write access somewhere in the repository not necessarily on the change paths.
> With regards
> Kamesh Jayachandran
> -----Original Message-----
> From: C. Michael Pilato [mailto:cmpilato_at_collab.net]
> Sent: Thu 7/19/2012 6:21 PM
> To: Arwin Arni Nandagopal
> Cc: dev_at_subversion.apache.org
> Subject: Re: [BUG] Revprop edits are checked for read access.
> On 07/19/2012 07:29 AM, Arwin wrote:
>> Hi All,
>> I've raised http://subversion.tigris.org/issues/show_bug.cgi?id=4206 .
>> Here is the Description:
>> <Description>
>> Revision properties are now checked for read access during propedits. This
>> is done by making a GET subrequest to each of the changed paths in that
>> revision. GETs are always checked for read access only.
>> This enables anyone with ONLY read access to a path edit the log message for
>> a revision that modified that path.
>> The attached patch special cases these subrequests by checking for write
>> access for all GET requests except if they are subrequests of PROPFIND or
>> REPORT (in which case they are checked for read access).
>> </Description>
>> Please share your thoughts on this.
> There's no bug here. The behavior you see is be design. See my comments in
> the issue you filed.
> --
> C. Michael Pilato <cmpilato_at_collab.net>
> CollabNet <> www.collab.net <> Enterprise Cloud Development

C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Enterprise Cloud Development

Received on 2012-07-19 15:15:56 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.