[prev in list] [next in list] [prev in thread] [next in thread]
List: subversion-issues
Subject: =?UTF-8?B?W0lzc3VlIDIzODhdIE5ldyAtIFJlcG9zaXRvcnkgY291bGQgYmUgbQ==?=
From: oka () tigris ! org
Date: 2005-08-26 16:18:02
Message-ID: 20050826161802.4905.qmail () tigris ! org
[Download RAW message or body]
http://subversion.tigris.org/issues/show_bug.cgi?id=2388
Issue #|2388
Summary|Repository could be modified without write access.
Component|subversion
Version|1.2.x
Platform|All
URL|
OS/Version|All
Status|NEW
Status whiteboard|
Keywords|
Resolution|
Issue type|DEFECT
Priority|P3
Subcomponent|libsvn_ra_dav
Assigned to|issues@subversion
Reported by|oka
------- Additional comments from oka@tigris.org Fri Aug 26 09:18:02 -0700 2005 -------
Hello,
I found the following security issue with DAV repository access. Below is
JavaSVN code:
SVNRepository repos = SVNRepositoryFactory.createRepository(...);
ISVNEditor editor = repos.getCommitEditor("message", null);
editor.openRoot(-1);
editor.closeEdit();
In the above code no exception is thrown, and repository revision goes up after
commit. User do not have write access to repository, only RO access. Adding
editor.addFile(...) call causes auth exception to be thrown.
Tested with Subversion repository 1.2.1, but it is not reproducible with
Subversion repository at svn.collab.net. Probably MKACTIVITY requires
authentication with some apache servers/configurations and does not require it
with others.
My apache configuration is:
<Location /svn/repos>
DAV svn
SVNParentPath /var/svn/repos
AuthzSVNAccessFile conf/svn-access
Satisfy Any
Require valid-user
AuthType Basic
AuthName "Subversion repository"
AuthUserFile conf/svn-passwd
</Location>
svn-access file:
[/]
* = r
user0 = rw
user1 = rw
user2 = rw
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@subversion.tigris.org
For additional commands, e-mail: issues-help@subversion.tigris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic