Ben Collins-Sussman <sussman@collab.net> wrote on 11/05/2004 03:48:27 PM:
> On Nov 5, 2004, at 2:06 PM, Mark Phippard wrote:
>
> >>
> >> 'SVNPathAuthz off' will completely disable all path-based authz
> >> checking. It prevents apache from doing GET subrequests to check the
> >> readability of specific repository paths.
> >
> > Thanks. What I do not get is why this is needed. Don't you have to
> > explicitly turn authz on anyway? What is the point of turning it on
> > and
> > off?
>
> mod_dav_svn has no idea if any authorization modules are loaded or not.
> So it's *always* doing GET subrequests on changed-paths, to verify
> whether a revision is wholly readable or not. Even if you have no
> authorization module loaded at all, the subrequests are still
> happening. Maybe they invoke an authorization module, maybe not.
>
> The effect of the security fixes is: mod_dav_svn does a lot more GET
> subrequests than it used to, especially on 'svn log' operations. It's
> a matter of authz correctness.
>
> So, even if you have no authorization module loaded at all, 'svn log'
> is now slower with the security fixes.
>
> The effect of "SVNPathAuthz off" is to disable GET subrequests
> completely, thus regaining speed, but abandoning all hope of authz.
But wouldn't that mean that operations like svn co and svn ci would still
trigger the authz?
Mark
_____________________________________________________________________________
Scanned for SoftLanding Systems, Inc. by IBM Email Security Management Services powered by MessageLabs.
_____________________________________________________________________________
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Nov 5 21:51:13 2004