On Mon, Apr 1, 2013 at 9:01 PM, Ben Reser <b...@reser.org> wrote: > Done along with the doc change mentioned above in r1463374.
Glad I ended up looking at this. Found two security holes in mod_authz_svn that we introduced in trunk. Both caused by the improper handling of the cache_key. I added the one when I added in-repo-authz (specifically the support for repos-relative urls) and the other was added by the addition of the groups file directive. They were much easier to fix when the server resolves the repos-relative urls since you really want to use the absolute URL as part of the cache_key.
