May some account in group1 do some illegal modification into the group2 section?

Hi,

We're deploying a Subversion server 1.8.11 using Apache 2.4.12. All the clients are using the 1.8 protocol.

Let's say we only have two groups. We want every account in those groups to have read access to the whole repository, but read-write access to only their section. We're talking about LDAP groups, so AuthzSVNAccessFile doesn't help much without using additional scripts.

I found that the following authentication/authorization configuration works well, supposing that the base subversion URL is http://server/svn:

(...)
<RequireAny>
    <RequireAll>
        Require ldap-group CN=group1,OU=(...)
        <RequireAny>
            Require expr %{Request_URI} =~ m|^/svn/group1|
            Require expr %{Request_URI} =~ m|^/svn/\!svn|
            Require expr %{REQUEST_METHOD} in {'GET','OPTIONS','PROPFIND','REPORT'}
        </RequireAny>
    </RequireAll>

    <RequireAll>
        Require ldap-group CN=group2,OU=(...)
        <RequireAny>
            Require expr %{Request_URI} =~ m|^/svn/group2|
            Require expr %{Request_URI} =~ m|^/svn/\!svn|
            Require expr %{REQUEST_METHOD} in {'GET','OPTIONS','PROPFIND','REPORT'}
        </RequireAny>
    </RequireAll>
</RequireAny>
(...)

The real question here is that I don't know if we could be opening a potential security hole because of the sentence: Require expr %{Request_URI} =~ m|^/svn/\!svn|. Looking at the apache logs, I found that the URI '/svn/!svn(...)' appeared when trying to modify allowed information.

That is, given this configuration, is it possible that some account in group1 could do some illegal modification into the group2 section?

Thank you!

Ricardo

PS: To find the read only HTTP methods, I used http://svn.apache.org/repos/asf/subversion/trunk/notes/http-and-webdav/webdav-protocol
Received on 2015-05-28 21:59:45 CEST