I didnt really read any of that, but my point is: svn does not, and
has never checked .htaccess *anywhere*
On 7/10/07, Freek Dijkstra <public@macfreek.nl> wrote:
> Lakshman, Matt,
>
> Thanks for your reply. It encoureaged me to look further.
> .htaccess hass nothing to do with it. It turns out to be a bug in the
> design of subversion. Basically, subversion checkout ALWAYS tries to
> download the root folder without authentication, then gets a result,
> including a statement that one of the subfolders is unreadable (as
> anonymous), and never tries to fetch it with the given credentials.
>
> This is plain and simple a bug in subversion.
>
> So, where can I submit bug reports?
>
> I just replicated the bug on a repository with HTTP instead of HTTPS, so
> I could monitor the raw HTTP traffic.
>
> Summary:
> For webdav based repositories, subversion checkout ignores restricted
> subfolders in a repository if the root folder is anonymously accessible.
> Even if proper authentication is given.
>
> Steps to reproduce:
> 1. Set up Apache with SVN and webdav. I simply took a fresh Debian
> install with the libapache2-svn packages (and relevant dependencies).
> 2. Set up a new repository with anonymously accessible root, and
> restricted subfolder. E.g., with this configuration:
> ---- httpd.conf: ---------------------------------------------
> ServerName www.example.com
> <Location /svn>
> DAV svn
> SVNParentPath /var/data/svn
> AuthType Basic
> AuthName "Subversion Repository"
> AuthUserFile /etc/apache2/dav_svn.passwd
> order allow,deny
> allow from all
> Require valid-user
> Satisfy Any
> AuthzSVNAccessFile /etc/apache2/dav_svn.acl
> </Location>
> ----------------------------------------------------------------
> ---- dav_svn.acl: --------------------------------------------
> [myrepos:/]
> auser = rw
> * = r
>
> [myrepos:/restrictedsubfolder]
> auser = rw
> * =
> ----------------------------------------------------------------
> 3. Do a checkout as user "auser":
> svn checkout --user auser --password secret \
> http://www.example.com/svn/myrepos
>
> Expected result:
> I expect that the whole myrepos repository would be checkout out,
> including the restrictedsubfolder, as that is readable by auser.
>
> Actual result:
> All of the repository is checked out as anonymous, and the
> restrictedsubfolder is completely ignored.
>
> Regression:
> The commands and provided username/password are correct. In fact, here
> is an excerpt form the Apache log file:
> Anonymous checkout of root folder: OK (HTTP 207 result):
> 192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 207
> 665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
> Anonymous checkout of restrictedsubfolder: Disallowed (HTTP 401 result):
> 192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 401
> 560 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
> Authenticated checkout of root folder: OK (HTTP 207 result):
> 192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
> 665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
> Authenticated checkout of restrictedsubfolder OK (HTTP 207 result):
> 192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
> 665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
>
> In fact, I even further analysed the raw HTTP
> data. This is what happens for a restricted access root folder, if you
> provide authentication:
> * the subversion client access the HTTP page without authentication
> * the server responds with a 401 result (Need authentication)
> * the subversion client retries with authentication
> * the server responds with a 207 result (OK)
> * The repository metadata and a list of files is downloaded
>
> Now, this is what happens for a publically accessible root folder, if
> you provide authentications:
> * the subversion client access the HTTP page without authentication
> * the server responds with a 207 result (OK)
> * The repository metadata and a partial list of files is downloaded
>
> The list of downloaded file is PARTIAL, because it contains this data
> (excerpt of the full XML transcript):
> <S:absent-directory name="restrictedsubfolder"/>
> <S:add-directory name="publicsubfolder"
> bc-url="/svn/myrepos/!svn/bc/7/publicsubfolder">
> <D:checked-in><D:href>
> /svn/myrepos/!svn/ver/7/publicsubfolder
> </D:href></D:checked-in>
>
> So the restricted access subfolder is marked as "absent-directory". That
> is true in this context, as the subversion client never provided
> authentication. However, it means that the client will also never
> attempt to download the data, despite that proper authentication was
> given on the command line!
>
> Regards,
> Freek Dijkstra
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 11 08:08:35 2007