[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Security issue when defining wrong location directive in Apache

From: Sander <boxtel_at_gmail.com>
Date: 2006-01-17 00:50:52 CET

Hi,

Can anybody confirm this.

I had some repositories under my https-root ..

My Apache conf was:

<Location /svn>
  DAV svn
  SVNParentPath /var/www/domainname/httpsdocs/projects

  AuthType Basic
  AuthName "Subversion Repository Access"
  AuthUserFile /var/www/domainname/private/.xsinfo

</Location>

This looks quite ok doesnt it ?

BUT, when somebody would be smart and guessed a URL .. he could browse
directly to 'https://domainname/projects/<reposname>/<file-to-download>' and
therefore bypass the Location-based authentication (that looks for /svn
instead of /projects in the URL !!) and download the repository files (in
raw database format).

So isn't it best practise to name the last part of the SVNParentPath /
SVNPath exactly the same as the 'Location' directive path ?

Maybe this could be emphasized some more in the manual !
Or am i completely missing the picture here ?

With regards,

Sander.
Received on Tue Jan 17 01:03:40 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.