Re: SVNPathAuthz and 1.1.1

From: Ben Collins-Sussman <sussman_at_collab.net>
Date: 2004-11-05 21:48:27 CET

On Nov 5, 2004, at 2:06 PM, Mark Phippard wrote:

>>
>> 'SVNPathAuthz off' will completely disable all path-based authz
>> checking. It prevents apache from doing GET subrequests to check the
>> readability of specific repository paths.
>
> Thanks. What I do not get is why this is needed. Don't you have to
> explicitly turn authz on anyway? What is the point of turning it on
> and
> off?

mod_dav_svn has no idea if any authorization modules are loaded or not.
So it's *always* doing GET subrequests on changed-paths, to verify
whether a revision is wholly readable or not. Even if you have no
authorization module loaded at all, the subrequests are still
happening. Maybe they invoke an authorization module, maybe not.

The effect of the security fixes is: mod_dav_svn does a lot more GET
subrequests than it used to, especially on 'svn log' operations. It's
a matter of authz correctness.

So, even if you have no authorization module loaded at all, 'svn log'
is now slower with the security fixes.

The effect of "SVNPathAuthz off" is to disable GET subrequests
completely, thus regaining speed, but abandoning all hope of authz.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Nov 5 21:49:08 2004

This message: [ Message body ]
Next message: Mark Phippard: "Re: SVNPathAuthz and 1.1.1"
Previous message: Mark Phippard: "RE: svn log "hangs""
In reply to: Mark Phippard: "Re: SVNPathAuthz and 1.1.1"
Next in thread: Mark Phippard: "Re: SVNPathAuthz and 1.1.1"
Reply: Mark Phippard: "Re: SVNPathAuthz and 1.1.1"
Reply: Mark Phippard: "Re: SVNPathAuthz and 1.1.1"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]