Re: [PATCH] speed up svn_repos_authz_check_access

From: Ben Reser <ben_at_reser.org>
Date: Wed, 7 Aug 2013 14:08:03 -0700

On Wed, Aug 7, 2013 at 1:03 PM, Roderich Schupp
<roderich.schupp_at_gmail.com> wrote:
> Err... the cache apr_hash_t by construction cannot contain keys (i.e.paths)
> that are not in the authz file also, so is bounded by the size of the
> corresponding svn_config_t. In fact, one could precompute the maximal
> cache on the first call to svn_repos_authz_check_access() by
> iterating over all paths in svn_config_t.

Yes that's true. I know there are people out there with very large
authz files though. Your cache isn't going to use much extra memory
for most connections. But an attacker can deliberately use more. I
agree in many if not most cases that still won't be an issue, but it's
an issue that at a minimum we have to point out to our admins.

> I see your point. "Clearing the cache" here means a single svn_clear_pool()
> call...

It's more than that. In the worst case scenario where the users
change for every request then you're doing the work to build a cache
that's torn down without ever being used.
Received on 2013-08-07 23:08:40 CEST

This message: [ Message body ]
Next message: Mattias Engdegård: "Re: localisation: status, migration to pootle"
Previous message: Roderich Schupp: "Re: [PATCH] speed up svn_repos_authz_check_access"
In reply to: Roderich Schupp: "Re: [PATCH] speed up svn_repos_authz_check_access"
Next in thread: Roderich Schupp: "Re: [PATCH] speed up svn_repos_authz_check_access"
Reply: Roderich Schupp: "Re: [PATCH] speed up svn_repos_authz_check_access"
Reply: Ivan Zhakov: "Re: [PATCH] speed up svn_repos_authz_check_access"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]