[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

authz and hiding directories that have read access disabled.

From: Jon Scott Stevens <jon_at_latchkey.com>
Date: 2006-03-17 03:43:02 CET

I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5. Here's my
authz:

[groups]
admin = jon

[/]
* = r
@admin = rw

[/acl]
* =
@admin = rw

I would expect that when I browse the repo via my http web browser
(not authenticated), that the /acl directory would not even get
listed in the output (because of the '* ='), but it does. Note, when
I try to view the repo, I am properly asked for auth information.

I kind of consider this a minor security hole in that svn is exposing
the name of a directory which really should not be available
publicly. Security through obscurity!

By the way, when I browse the same repo using my install of the
latest version of Trac, it's smart enough to not list the /acl
directory until I authenticate as jon.

thanks,

jon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Mar 17 03:43:56 2006

This is an archived mail posted to the Subversion Users mailing list.