[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SVNPathAuthz and 1.1.1

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-11-05 21:48:27 CET

On Nov 5, 2004, at 2:06 PM, Mark Phippard wrote:

>>
>> 'SVNPathAuthz off' will completely disable all path-based authz
>> checking. It prevents apache from doing GET subrequests to check the
>> readability of specific repository paths.
>
> Thanks. What I do not get is why this is needed. Don't you have to
> explicitly turn authz on anyway? What is the point of turning it on
> and
> off?

mod_dav_svn has no idea if any authorization modules are loaded or not.
  So it's *always* doing GET subrequests on changed-paths, to verify
whether a revision is wholly readable or not. Even if you have no
authorization module loaded at all, the subrequests are still
happening. Maybe they invoke an authorization module, maybe not.

The effect of the security fixes is: mod_dav_svn does a lot more GET
subrequests than it used to, especially on 'svn log' operations. It's
a matter of authz correctness.

So, even if you have no authorization module loaded at all, 'svn log'
is now slower with the security fixes.

The effect of "SVNPathAuthz off" is to disable GET subrequests
completely, thus regaining speed, but abandoning all hope of authz.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Nov 5 21:49:08 2004

This is an archived mail posted to the Subversion Users mailing list.