Hi All,
Attached patch fixes issue 2753.
Quick description of 2753.
<Location /svn>
DAV svn
SVNParentPath /repositories
AuthType Basic
AuthName "My SVN"
AuthUserFile /etc/httpd/conf.d/users
allow from all
AuthzSVNAccessFile /etc/httpd/conf.d/svn_access_file
</Location>
With the above configuration 'wget http://localhost/svn' gets 403 Access
forbidden.
Thrown from the following stack trace.
mod_dav_svn/repos.c:dav_svn_split_uri() <-- This function throws this
403 logging the following in the error_log
"The URI does not contain the name "
"of a repository.");
mod_authz_svn:req_check_access()
mod_authz_svn:access_checker()
The suggested work around for this issue is to define a <Location> with
a trailing slash i.e <Location /svn/>
Why this work around works?
Whatever that is defined in the <Location /svn> or <Location /svn/> is
passed as is in the variable name 'root_path'.
dav_svn_split_uri() always removes the trailing slash of the uri.
So uri becomes '/svn' and root_path becomes '/svn' or '/svn/' based on
how it is configured in the Location block.
In the work around case
relative = ap_stripprefix("/svn", "/svn/"); //relative becomes '/svn'
and hence passes rest of the code path without error.
While 'relative' becomes empty string for ap_stripprefix("/svn", "/svn")
and hence this 403.
About the fix:
Fix is to 'relax' mod_authz_svn for 'requests' that are for the repo parent.
I tested the following cases with this patch:
With the restrictive(read-only) authz, tried to set prop on the '/' of
the repo(configured to serve via SVNPath), it failed as expected.
Ran through the testsuite, It did not break any new tests.
[[[
[issue2753] Fix issue 2753.
Relax requests aimed at the repo Parent path from authz control.
* subversion/mod_authz_svn/mod_authz_svn.c
(req_check_access): When canonicalized 'uri' and 'root_path' are same
allow the request.
]]]
If there are no objections will commit this in next couple of days.
Thanks
With regards
Kamesh Jayachandran
Index: subversion/mod_authz_svn/mod_authz_svn.c
===================================================================
--- subversion/mod_authz_svn/mod_authz_svn.c (revision 931820)
+++ subversion/mod_authz_svn/mod_authz_svn.c (working copy)
@@ -210,6 +210,8 @@
svn_authz_t *access_conf = NULL;
svn_error_t *svn_err;
char errbuf[256];
+ const char *canonicalized_uri;
+ const char *canonicalized_root_path;
const char *username_to_authorize = get_username_to_authorize(r, conf);
switch (r->method_number)
@@ -249,6 +251,15 @@
break;
}
+ canonicalized_uri = svn_uri_canonicalize(r->uri, r->pool);
+ canonicalized_root_path = svn_uri_canonicalize(conf->base_path, r->pool);
+ if (strcmp(canonicalized_uri, canonicalized_root_path) == 0)
+ {
+ /*Do no access control when root_path(as configured in <Location>) and
+ given uri are same.*/
+ return OK;
+ }
+
dav_err = dav_svn_split_uri(r,
r->uri,
conf->base_path,
