On Tue, Dec 7, 2010 at 11:59, Nick Stokes
<randomaccessiterator_at_gmail.com> wrote:
> Hi all,
>
> I am serving our repositories over https, using Apache 2.2, via mod_dav_svn,
> also using mod_authz_svn for per directory access control. Most users find
> the error messages cryptic (when there is a permission related error on
> checkout, commit, so on...) and I am wondering if there is a way to
> customize these messages?
>
> For example, current (default?) set up spits out the following:
>
> If checkout fails due to insufficient permissions:
> svn: Server sent unexpected return value (403 Forbidden) in response to
> OPTIONS request for 'https://my.cool.server/foo/trunk'
>
> If checkout fails due to spelling error in repository name:
> svn: Server sent unexpected return value (403 Forbidden) in response to
> OPTIONS request for 'https://my.cool.server/f00/trunk'
I don't think Subversion can tell the difference here. If my AuthZ
file specifies that I have access to /f00/trunk/ and I ask for
/foo/trunk/, all that's really known is that I asked for a path which
I do not have permission to access. Do you propose that the server
scan for all possible "similar" repositories/paths in an attempt to
find a match?
Some would consider it a security risk to report "that exists, but you
don't have rights to it" as opposed to "access denied." It's similar
to *NIX systems and any other decent authentication interface
reporting "invalid user id OR password" on a failed login attempt;
don't give a potential attacker hints as to which part of their
attempt they got correct.
Received on 2010-12-07 19:13:07 CET