[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] speed up svn_repos_authz_check_access

From: Ivan Zhakov <ivan_at_visualsvn.com>
Date: Thu, 8 Aug 2013 16:41:26 +0400

On Thu, Aug 8, 2013 at 1:08 AM, Ben Reser <ben_at_reser.org> wrote:
> On Wed, Aug 7, 2013 at 1:03 PM, Roderich Schupp
> <roderich.schupp_at_gmail.com> wrote:
>> Err... the cache apr_hash_t by construction cannot contain keys (i.e.paths)
>> that are not in the authz file also, so is bounded by the size of the
>> corresponding svn_config_t. In fact, one could precompute the maximal
>> cache on the first call to svn_repos_authz_check_access() by
>> iterating over all paths in svn_config_t.
>
> Yes that's true. I know there are people out there with very large
> authz files though. Your cache isn't going to use much extra memory
> for most connections. But an attacker can deliberately use more. I
> agree in many if not most cases that still won't be an issue, but it's
> an issue that at a minimum we have to point out to our admins.
>
I don't see problem here: in worst scenario cache size would same as
authorization file. So even for large authorization files memory usage
will be limited.

Other approaches are:
1. use svn_cache__t object to store cached values
2. Factor out configuration file parser and store authorization
settings in our own hash table with interesting cached values.

-- 
Ivan Zhakov
CTO | VisualSVN | http://www.visualsvn.com
Received on 2013-08-08 14:42:24 CEST

This is an archived mail posted to the Subversion Dev mailing list.