[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: broken AuthzSVNAccessFile in 1.3.0 ? RFC

From: Kalin KOZHUHAROV <kalin_at_thinrope.net>
Date: 2006-01-19 17:08:11 CET

Holger Stratmann wrote:
> Michal Levý wrote:
>
>> Relocating wc to uppercase repo name works great! thanks for
>> suggestions....
>>
>> Still. This behavior were introduced by 1.3.0 and it seems to me like
>> a inconsistency.
>> SVN client works without complaints with different cased repo names
>> (maybe only on Windows), why authorization mechanism don't ?
>
> This is not uncommon (only on Windows!). The authorization is operating
> "in memory" and comparing strings. That's always case sensitive by
> default (unless specifically made case insensitive).
> Accessing the repository goes to the file system and requests a
> directory called "TVM" - Windows happily returns "tvm" or "Tvm" or
> whatever.
>
> I am wondering if THAT is acceptable behavior for Subversion?
If below is working, then it certainly is not!

> AFAIK, this should work (not that I'm doing it):
>
> [/]
> * = r
>
> [secret:/]
> * =
> me = rw
>
> Am I wrong?
>
> On Windows, that's now heavily broken, because I could still access
> "Secret" or "seCret" or something like that as an anonymous user, right?
Not sure that will work, and I am more than half asleep now... Will test
tomorrow. If that works... we'll have a HUGE hole in security... I hope it
does not.

> I think this should be changed in one of two ways:
> a) make authentication case insensitive on Windows (seems like it was in
> 1.2.3? However, on other operating systems it has to be case sensitive,
> so maybe it was "fixed for *nix" in 1.3.0? :-) Or it's actually a
> (regression) bug)
not a good idea

> b) make repository access case sensitive even on Windows (a case
> preserving version of the filename is available from the Win API if you
> want it)
times better

Kalin.

-- 
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jan 19 21:22:14 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.