On 4/25/2016 10:53 PM, Tom Kielty wrote:
We currently run SVN 1.8.8 on Windows 2008 R2 with Apache 2.2 and LDAP 
SSPI authentication.
We have 2 repositories. After authenticating you can see the top two 
directories in a browser.
URL: http://<ip>/Repo1 <http://%3cip%3e/Repo1>

Shows:

Directory1/

Directory2/

I am upgrading to SVN 1.8.15 with Apache 2.4 on Windows 2012 R2 with LDAP SSPI authentication.
When I go to the same url after upgrading I am not asked for 
authentication when going to http://<ip>/Repo1 <http://%3cip%3e/Repo1> 
but I see “Revision xxxx”. I do not see Directory 1 or Directory2.
However if I go to http://<ip>/Repo1/Directory1 
<http://%3cip%3e/Repo1/Directory1> I am prompted to authenticate and I 
can see everything under Directory1.
Here is my httpd.conf information:

<Location /Repo1/>

  DAV svn

  SVNPath D:/Repo/Repo1

  SVNListParentPath on

  AuthName "SVN Server"

  AuthType SSPI

  SSPIAuth On

  SSPIAuthoritative On

  AuthzForceUsernameCase lower

  SSPIDomain <mydomain>

  SSPIOfferBasic on #let non-IE clients authenticate

  SSPIOmitDomain On

  AuthzSVNAccessFile "D:/Repo/Repo1/svnaccess.conf"

  Satisfy any

  Require valid-user

</Location>

I also have WebSVN which does show everything just fine.

Any ideas?

Could it be that you have some additional path-based authorization set up? See http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html If so, I think to remember there was some security issue with that at some point (aka: information disclosure of the directory names at some specific scenario). Since 1.8.15 no longer displays the directories for you, I'd take it that some version in between 1.8.8 and 1.8.15 contain that fix and therefore result in the different behavior you see.
Looking at the changelog for 1.8:
1.8.14:
[...]

 - Server-side bugfixes:
    * mod_authz_svn: do not leak information in mixed anonymous/authenticated
      httpd (dav) configurations (CVE-2015-3184)
    * do not leak paths that were hidden by path-based authz (CVE-2015-3187)

[...]

I take it these are the ones I happen to remember.

--
Regards,
Stefan Hett

Reply via email to