unsafe authorisation hack?

From: temp temp <temp_at_scue.co.uk>
Date: 2007-04-02 15:03:39 CEST

I'm currently trying to add a little bit of authorisation to one of my
repositories that is served by apache. I found that using the normal
svn authorisation mechanism made retrieving log messages too slow to
be usable.

I then tried a basic system of limiting access to certain Locations
(and dav commands):

<Location /svn/web/live/>
RequireGroup blah
</Location>

This worked pretty well. Unfortunately it still allows users to drag
folders around within the repo-browser (I'm trying to avoid people
accidentally moving important folders).

I'm now using the LocationMatch tag directly on the !svn locations
(LocationMatch is required to regex match the unknown version number):

<LocationMatch "/2ndbyte/!svn/ver/[^/]*/web/live.*">
RequireGroup blah
</LocationMatch>

My question is basically - is this safe? I'm no apache/svn expert so I
don't really understand the risks. Obviously it's much harder to get
the rules correct this way (as it's pretty cumbersome). Mostly I'm
worried that this might allow part of a commit to complete but then
fail too late in the process to roll back.

Also, does anyone have any idea of what the performance impact of this
solution is?

Aidan.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Apr 2 15:04:21 2007

This message: [ Message body ]
Next message: igor vieira: "Update replace files??"
Previous message: Carlos Oliveira: "Special characters on Path-Based Authorization"
Next in thread: Ryan Schmidt: "Re: unsafe authorisation hack?"
Reply: Ryan Schmidt: "Re: unsafe authorisation hack?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]