On Tue, Dec 7, 2010 at 11:59, Nick Stokes <randomaccessitera...@gmail.com> wrote: > Hi all, > > I am serving our repositories over https, using Apache 2.2, via mod_dav_svn, > also using mod_authz_svn for per directory access control. Most users find > the error messages cryptic (when there is a permission related error on > checkout, commit, so on...) and I am wondering if there is a way to > customize these messages? > > For example, current (default?) set up spits out the following: > > If checkout fails due to insufficient permissions: > svn: Server sent unexpected return value (403 Forbidden) in response to > OPTIONS request for 'https://my.cool.server/foo/trunk' > > If checkout fails due to spelling error in repository name: > svn: Server sent unexpected return value (403 Forbidden) in response to > OPTIONS request for 'https://my.cool.server/f00/trunk'
I don't think Subversion can tell the difference here. If my AuthZ file specifies that I have access to /f00/trunk/ and I ask for /foo/trunk/, all that's really known is that I asked for a path which I do not have permission to access. Do you propose that the server scan for all possible "similar" repositories/paths in an attempt to find a match? Some would consider it a security risk to report "that exists, but you don't have rights to it" as opposed to "access denied." It's similar to *NIX systems and any other decent authentication interface reporting "invalid user id OR password" on a failed login attempt; don't give a potential attacker hints as to which part of their attempt they got correct.
