On 4/25/2016 10:53 PM, Tom Kielty wrote:
We currently run SVN 1.8.8 on Windows 2008 R2 with Apache 2.2 and LDAP
SSPI authentication.
We have 2 repositories. After authenticating you can see the top two
directories in a browser.
URL: http://<ip>/Repo1 <http://%3cip%3e/Repo1>
Shows:
Directory1/
Directory2/
I am upgrading to SVN 1.8.15 with Apache 2.4 on Windows 2012 R2 with
LDAP SSPI authentication.
When I go to the same url after upgrading I am not asked for
authentication when going to http://<ip>/Repo1 <http://%3cip%3e/Repo1>
but I see “Revision xxxx”. I do not see Directory 1 or Directory2.
However if I go to http://<ip>/Repo1/Directory1
<http://%3cip%3e/Repo1/Directory1> I am prompted to authenticate and I
can see everything under Directory1.
Here is my httpd.conf information:
<Location /Repo1/>
DAV svn
SVNPath D:/Repo/Repo1
SVNListParentPath on
AuthName "SVN Server"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
AuthzForceUsernameCase lower
SSPIDomain <mydomain>
SSPIOfferBasic on #let non-IE clients authenticate
SSPIOmitDomain On
AuthzSVNAccessFile "D:/Repo/Repo1/svnaccess.conf"
Satisfy any
Require valid-user
</Location>
I also have WebSVN which does show everything just fine.
Any ideas?
Could it be that you have some additional path-based authorization set
up? See
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
If so, I think to remember there was some security issue with that at
some point (aka: information disclosure of the directory names at some
specific scenario). Since 1.8.15 no longer displays the directories for
you, I'd take it that some version in between 1.8.8 and 1.8.15 contain
that fix and therefore result in the different behavior you see.
Looking at the changelog for 1.8:
1.8.14:
[...]
- Server-side bugfixes:
* mod_authz_svn: do not leak information in mixed anonymous/authenticated
httpd (dav) configurations (CVE-2015-3184)
* do not leak paths that were hidden by path-based authz (CVE-2015-3187)
[...]
I take it these are the ones I happen to remember.
--
Regards,
Stefan Hett