Re: 1.8 new public API review (mostly) complete.
On Mon, Apr 1, 2013 at 9:01 PM, Ben Reser <ben_at_reser.org> wrote:
> Done along with the doc change mentioned above in r1463374.
Glad I ended up looking at this. Found two security holes in
mod_authz_svn that we introduced in trunk. Both caused by the
improper handling of the cache_key. I added the one when I added
in-repo-authz (specifically the support for repos-relative urls) and
the other was added by the addition of the groups file directive.
They were much easier to fix when the server resolves the
repos-relative urls since you really want to use the absolute URL as
part of the cache_key.
Received on 2013-04-02 09:18:09 CEST
This is an archived mail posted to the Subversion Dev