Re: 1.8 new public API review (mostly) complete.

From: Ben Reser <ben_at_reser.org>
Date: Tue, 2 Apr 2013 00:17:30 -0700

On Mon, Apr 1, 2013 at 9:01 PM, Ben Reser <ben_at_reser.org> wrote:
> Done along with the doc change mentioned above in r1463374.

Glad I ended up looking at this. Found two security holes in
mod_authz_svn that we introduced in trunk. Both caused by the
improper handling of the cache_key. I added the one when I added
in-repo-authz (specifically the support for repos-relative urls) and
the other was added by the addition of the groups file directive.
They were much easier to fix when the server resolves the
repos-relative urls since you really want to use the absolute URL as
part of the cache_key.
Received on 2013-04-02 09:18:09 CEST

This message: [ Message body ]
Next message: Julian Foad: "Re: 1.8 new public API review (mostly) complete."
Previous message: Ben Reser: "Re: 1.8 new public API review (mostly) complete."
In reply to: Ben Reser: "Re: 1.8 new public API review (mostly) complete."
Next in thread: Julian Foad: "Re: 1.8 new public API review (mostly) complete."
Reply: Julian Foad: "Re: 1.8 new public API review (mostly) complete."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]