[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Fwd: authz and hiding directories that have read access disabled.

From: Jon Scott Stevens <jon_at_latchkey.com>
Date: 2006-03-21 18:16:48 CET

Trying once more. Didn't get a response last time. Maybe I need to
phrase the issue differently?

Read the FAQ. Searched the bug database. Nothing I have seen covers
this.

jon

Begin forwarded message:

> From: Jon Scott Stevens <jon@latchkey.com>
> Date: March 16, 2006 6:43:02 PM PST
> To: Subversion Users <users@subversion.tigris.org>
> Subject: authz and hiding directories that have read access disabled.
>
> I'm running svn 1.3.0 through Apache 2.0.52 on OSX 10.4.5. Here's
> my authz:
>
> [groups]
> admin = jon
>
> [/]
> * = r
> @admin = rw
>
> [/acl]
> * =
> @admin = rw
>
> I would expect that when I browse the repo via my http web browser
> (not authenticated), that the /acl directory would not even get
> listed in the output (because of the '* ='), but it does. Note,
> when I try to view the repo, I am properly asked for auth information.
>
> I kind of consider this a minor security hole in that svn is
> exposing the name of a directory which really should not be
> available publicly. Security through obscurity!
>
> By the way, when I browse the same repo using my install of the
> latest version of Trac, it's smart enough to not list the /acl
> directory until I authenticate as jon.
>
> thanks,
>
> jon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Mar 21 18:19:22 2006

This is an archived mail posted to the Subversion Users mailing list.