Lakshman, Matt,
Thanks for your reply. It encoureaged me to look further.
.htaccess hass nothing to do with it. It turns out to be a bug in the
design of subversion. Basically, subversion checkout ALWAYS tries to
download the root folder without authentication, then gets a result,
including a statement that one of the subfolders is unreadable (as
anonymous), and never tries to fetch it with the given credentials.
This is plain and simple a bug in subversion.
So, where can I submit bug reports?
I just replicated the bug on a repository with HTTP instead of HTTPS, so
I could monitor the raw HTTP traffic.
Summary:
For webdav based repositories, subversion checkout ignores restricted
subfolders in a repository if the root folder is anonymously accessible.
Even if proper authentication is given.
Steps to reproduce:
1. Set up Apache with SVN and webdav. I simply took a fresh Debian
install with the libapache2-svn packages (and relevant dependencies).
2. Set up a new repository with anonymously accessible root, and
restricted subfolder. E.g., with this configuration:
---- httpd.conf: ---------------------------------------------
ServerName www.example.com
<Location /svn>
DAV svn
SVNParentPath /var/data/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
order allow,deny
allow from all
Require valid-user
Satisfy Any
AuthzSVNAccessFile /etc/apache2/dav_svn.acl
</Location>
----------------------------------------------------------------
---- dav_svn.acl: --------------------------------------------
[myrepos:/]
auser = rw
* = r
[myrepos:/restrictedsubfolder]
auser = rw
* =
----------------------------------------------------------------
3. Do a checkout as user "auser":
svn checkout --user auser --password secret \
http://www.example.com/svn/myrepos
Expected result:
I expect that the whole myrepos repository would be checkout out,
including the restrictedsubfolder, as that is readable by auser.
Actual result:
All of the repository is checked out as anonymous, and the
restrictedsubfolder is completely ignored.
Regression:
The commands and provided username/password are correct. In fact, here
is an excerpt form the Apache log file:
Anonymous checkout of root folder: OK (HTTP 207 result):
192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 207
665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Anonymous checkout of restrictedsubfolder: Disallowed (HTTP 401 result):
192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 401
560 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Authenticated checkout of root folder: OK (HTTP 207 result):
192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Authenticated checkout of restrictedsubfolder OK (HTTP 207 result):
192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
In fact, I even further analysed the raw HTTP
data. This is what happens for a restricted access root folder, if you
provide authentication:
* the subversion client access the HTTP page without authentication
* the server responds with a 401 result (Need authentication)
* the subversion client retries with authentication
* the server responds with a 207 result (OK)
* The repository metadata and a list of files is downloaded
Now, this is what happens for a publically accessible root folder, if
you provide authentications:
* the subversion client access the HTTP page without authentication
* the server responds with a 207 result (OK)
* The repository metadata and a partial list of files is downloaded
The list of downloaded file is PARTIAL, because it contains this data
(excerpt of the full XML transcript):
<S:absent-directory name="restrictedsubfolder"/>
<S:add-directory name="publicsubfolder"
bc-url="/svn/myrepos/!svn/bc/7/publicsubfolder">
<D:checked-in><D:href>
/svn/myrepos/!svn/ver/7/publicsubfolder
</D:href></D:checked-in>
So the restricted access subfolder is marked as "absent-directory". That
is true in this context, as the subversion client never provided
authentication. However, it means that the client will also never
attempt to download the data, despite that proper authentication was
given on the command line!
Regards,
Freek Dijkstra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 10 23:49:48 2007