[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Apache 2.4/SVN 1.8.15 - cannot see top level directories

From: Stefan Hett <stefan_at_egosoft.com>
Date: Tue, 26 Apr 2016 11:59:01 +0200

On 4/25/2016 10:53 PM, Tom Kielty wrote:
>
> We currently run SVN 1.8.8 on Windows 2008 R2 with Apache 2.2 and LDAP
> SSPI authentication.
>
> We have 2 repositories. After authenticating you can see the top two
> directories in a browser.
>
> URL: http://<ip>/Repo1 <http://%3cip%3e/Repo1>
>
> Shows:
>
> Directory1/
>
> Directory2/
>
> I am upgrading to SVN 1.8.15 with Apache 2.4 on Windows 2012 R2 with
> LDAP SSPI authentication.
>
> When I go to the same url after upgrading I am not asked for
> authentication when going to http://<ip>/Repo1 <http://%3cip%3e/Repo1>
> but I see “Revision xxxx”. I do not see Directory 1 or Directory2.
>
> However if I go to http://<ip>/Repo1/Directory1
> <http://%3cip%3e/Repo1/Directory1> I am prompted to authenticate and I
> can see everything under Directory1.
>
> Here is my httpd.conf information:
>
> <Location /Repo1/>
>
> DAV svn
>
> SVNPath D:/Repo/Repo1
>
> SVNListParentPath on
>
> AuthName "SVN Server"
>
> AuthType SSPI
>
> SSPIAuth On
>
> SSPIAuthoritative On
>
> AuthzForceUsernameCase lower
>
> SSPIDomain <mydomain>
>
> SSPIOfferBasic on #let non-IE clients authenticate
>
> SSPIOmitDomain On
>
> AuthzSVNAccessFile "D:/Repo/Repo1/svnaccess.conf"
>
> Satisfy any
>
> Require valid-user
>
> </Location>
>
> I also have WebSVN which does show everything just fine.
>
> Any ideas?
>
Could it be that you have some additional path-based authorization set
up? See
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
If so, I think to remember there was some security issue with that at
some point (aka: information disclosure of the directory names at some
specific scenario). Since 1.8.15 no longer displays the directories for
you, I'd take it that some version in between 1.8.8 and 1.8.15 contain
that fix and therefore result in the different behavior you see.

Looking at the changelog for 1.8:
1.8.14:
[...]

  - Server-side bugfixes:
     * mod_authz_svn: do not leak information in mixed anonymous/authenticated
       httpd (dav) configurations (CVE-2015-3184)
     * do not leak paths that were hidden by path-based authz (CVE-2015-3187)

[...]

I take it these are the ones I happen to remember.

-- 
Regards,
Stefan Hett
Received on 2016-04-26 11:59:10 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.