On 03/07/2013 12:21 PM, Bert Huijben wrote:
>> Then those proxy servers are already interfering with existing clients,
>> and preventing those clients from reporting capabilities, from storing
>> and fetch file lock metadata correctly, etc.
> I think we use different headers for the user agent and the capabilities
> and most other things.
> Proxies suppressing all non-default headers would have problems, but the
> user agent is sometimes an easy tweak to reduce the attack surface.
What I meant was that mod_dav_svn only bothers to parse a capabilities
header at all if the User-Agent string has "SVN/". If a proxy is stripping
User-Agent out, then I daresay that client is mergeinfo-disabled as a result
> Another possible issue: What about standard DAV clients?
> Should these obtain the keywords collapsed or expanded.
Ah! Now that's the rub! (Good catch, Bert.) We do *not* want a standard
DAV client GETting a resource with keywords expanded, tweaking it, and then
PUTting it back into the repository with expanded keywords.
So it would seem that we would not want this behavior to be the default for
a GET request, regardless of the client requesting it. We could make it an
option toggleable via the query string portion of the URL -- even
automatically add that flag in the URLs presented by a GET of the containing
directory. But no, a standard GET request against the public URL should not
 What happens if such a client screws up our "repository normal
format" -- expanding keywords or futzing with newlines -- when
PUTting a new version today?
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet <> www.collab.net <> Enterprise Cloud Development
Received on 2013-03-07 19:55:49 CET