authz and hiding directories that have read access disabled.

From: Jon Scott Stevens <jon_at_latchkey.com>
Date: 2006-03-17 03:43:02 CET

I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5. Here's my
authz:

[groups]
admin = jon

[/]
* = r
@admin = rw

[/acl]
* =
@admin = rw

I would expect that when I browse the repo via my http web browser
(not authenticated), that the /acl directory would not even get
listed in the output (because of the '* ='), but it does. Note, when
I try to view the repo, I am properly asked for auth information.

I kind of consider this a minor security hole in that svn is exposing
the name of a directory which really should not be available
publicly. Security through obscurity!

By the way, when I browse the same repo using my install of the
latest version of Trac, it's smart enough to not list the /acl
directory until I authenticate as jon.

thanks,

jon

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Mar 17 03:43:56 2006

This message: [ Message body ]
Next message: Matt Lins: "403 Forbidden only with Client"
Previous message: Scott Palmer: "Re: Help explain peg revisions"
Next in thread: Jon Scott Stevens: "Fwd: authz and hiding directories that have read access disabled."
Reply: Jon Scott Stevens: "Fwd: authz and hiding directories that have read access disabled."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]