[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 1.8 new public API review (mostly) complete.

From: Ben Reser <ben_at_reser.org>
Date: Tue, 2 Apr 2013 00:17:30 -0700

On Mon, Apr 1, 2013 at 9:01 PM, Ben Reser <ben_at_reser.org> wrote:
> Done along with the doc change mentioned above in r1463374.

Glad I ended up looking at this. Found two security holes in
mod_authz_svn that we introduced in trunk. Both caused by the
improper handling of the cache_key. I added the one when I added
in-repo-authz (specifically the support for repos-relative urls) and
the other was added by the addition of the groups file directive.
They were much easier to fix when the server resolves the
repos-relative urls since you really want to use the absolute URL as
part of the cache_key.
Received on 2013-04-02 09:18:09 CEST

This is an archived mail posted to the Subversion Dev mailing list.