On Fri, May 16, 2014 at 2:05 PM, Ben Reser <b...@reser.org> wrote: > On 5/15/14, 1:15 AM, Terry Dooher wrote: > > That's so much clearer now and sounds like something I can definitely > use. > > As I understand it, the downside is that the server will reveal path > components > > and filenames within restricted areas during log operations? > > Don't think you quite understand yet. If Subversion is revealing path > compontents/filenames within restricted areas during log then it can be > revealing file contents (by way of the REPORT method and bulk updates). > > The short_circuit setting can only break security in this way if and only > if > you have some other module than mod_authz_svn that looks at paths to > determine > what access to provide. Many modules may have different configurations per > Location, but most don't look at the path like mod_authz_svn does and give > different answers within the same Location for the same request. In fact > I'm > not aware of any such module that does this that comes with httpd, so you'd > have to install some 3rd party or custom module to run into this. Meaning > for > the vast majority of users if they're using mod_authz_svn they should have > SVNPathAuthz set to short_circuit. > > The off setting, should never be used with mod_authz_svn. It's probabbly > possible to configure things such that you only leak file paths, by > disabling > bulk updates. But I'm not 100% sure that there isn't an edge case that > wouldn't be missed by that. > > For the vast majority of users these rules are true: > > Using mod_authz_svn with an AuthzSVNAccessFile set you want SVNPathAuthz > set to > short_circuit. > Not using mod_authz_svn, no AuthzSVNAccessFile set, you want SVNPathAuthz > set > to off. > > The exception is if you use some weird authorization module like I > explained above. >
I recall there is a valid scenario for using "off" and that is when you are only using authz to restrict write access to some paths. If all paths in the repository are readable, then I believe "off" works properly in all scenarios. Meaning it is not possible to write to any paths that you do not have access to. -- Thanks Mark Phippard http://markphip.blogspot.com/
