[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Case sensitivity in authz files

From: Mark Phippard <markphip_at_gmail.com>
Date: Thu, 25 Apr 2013 09:04:24 -0400

On Thu, Apr 25, 2013 at 8:37 AM, Philip Martin
<philip.martin_at_wandisco.com> wrote:
> Julian Foad <julianfoad_at_btopenworld.com> writes:
>
>> I am only questioning the assignment of a 1.8.0 "release blocker"
>> milestone.
>
> That was simply because Branko suggested he was targeting 1.8.0. We
> have to decide now because I don't think we would put this into a minor
> release (the last case-sensitivity change went into 1.7.0).

First off, to be clear, I think we should have ALWAYS been
case-insensitive when comparing usernames. What I do not get is why
we would be considering doing this NOW.

Going all the way back to 1.0, our largest user base by far - Windows
users, have complained about this. Active Directory allows me to
login as "Mark", "mark" or "MaRk". Obviously the last example is
extreme, but the upper case first letter happens pretty commonly. For
years, we just told these users to not do that and essentially
piss-off. It wasn't until something like 1.5 or 1.6 that we finally
added a directive that causes mod_dav_svn to normalize the username to
all upper or lower case so that you could write rules in one format.
I do not think we ever even documented this in release notes so I
cannot find when we added it.

Now we have some totally contrived scenario that the person writing
the rules essentially controls and we are wringing our hands about it?
 Why wouldn't we give anyone bothered by this the same answer we gave
to Windows users for all those years?

It seems to me that we should fix our data structure so that we are
storing both keys when they differ only by case, or we should do
nothing.

--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Received on 2013-04-25 15:04:57 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.