You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by da...@apache.org on 2017/07/27 14:08:50 UTC

svn commit: r1803188 - in /subversion/trunk: notes/api-errata/1.10/ notes/api-errata/1.10/svnserve001.txt subversion/libsvn_repos/repos.c subversion/svnserve/serve.c

Author: danielsh
Date: Thu Jul 27 14:08:49 2017
New Revision: 1803188

URL: http://svn.apache.org/viewvc?rev=1803188&view=rev
Log:
svnserve: Make use-sasl=true a fatal error in SASL-less builds.

As a side effect, this revision also stops explicitly initializing 'min_ssf'
and 'max_ssf' in non-SASL mode.

This patch was tracked as SVN-4629.

* subversion/svnserve/serve.c
  (find_repos): Check 'use-sasl' in SASL-less builds, too.

* subversion/libsvn_repos/repos.c
  (create_conf): Update documentation.

* notes/api-errata/1.10/: New.
* notes/api-errata/1.10/svnserve001.txt: New.

Added:
    subversion/trunk/notes/api-errata/1.10/
    subversion/trunk/notes/api-errata/1.10/svnserve001.txt   (with props)
Modified:
    subversion/trunk/subversion/libsvn_repos/repos.c
    subversion/trunk/subversion/svnserve/serve.c

Added: subversion/trunk/notes/api-errata/1.10/svnserve001.txt
URL: http://svn.apache.org/viewvc/subversion/trunk/notes/api-errata/1.10/svnserve001.txt?rev=1803188&view=auto
==============================================================================
--- subversion/trunk/notes/api-errata/1.10/svnserve001.txt (added)
+++ subversion/trunk/notes/api-errata/1.10/svnserve001.txt Thu Jul 27 14:08:49 2017
@@ -0,0 +1,39 @@
+API ERRATA -- $Id$
+
+Root Cause of Errata: design error
+ Library(s) Affected: svnserve.conf
+Function(s) Affected: the 'use-sasl' configuration knob
+     New Behavior in: 1.10
+
+== Details ==
+
+The documentation of the '[sasl]' section and the 'use-sasl' option in
+svnserve.conf promised that that section would be ignored by Subversion builds
+compiled without SASL support.
+
+That behaviour violated the principle of least surprise and could lead to
+incorrect authentication and authorization settings being used, if an svnserve
+compiled without SASL support was inadvertently used with an svnserve.conf
+file specifying 'use-sasl = true'.
+
+svnserve has been changed to decline to serve a repository, if svnserve.conf
+contains the setting 'use-sasl = true' and SASL support was not compiled in.
+
+
+== Impact on API Users ==
+
+Subversion builds compiled with SASL support will have no change in behaviour.
+
+Subversion builds compiled without SASL support will now decline to serve
+repositories when the svnserve.conf config file sets 'use-sasl = true' in the
+'[sasl]' section.  Such repositories may set 'use-sasl = false' to restore the
+effective 1.9 behaviour, or recompile svnserve with SASL support to use SASL
+transport.
+
+If 'use-sasl' is not explicitly set (commented out), it defaults to 'false'.
+Installations using this setting are unaffected, regardless of svnserve compile
+options.
+
+The default location of svnserve.conf is REPOS_DIR/conf/svnserve.conf on the
+server (the file is not versioned), but this may be changed via the
+'--config-file' command-line option.

Propchange: subversion/trunk/notes/api-errata/1.10/svnserve001.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: subversion/trunk/notes/api-errata/1.10/svnserve001.txt
------------------------------------------------------------------------------
    svn:keywords = Id

Modified: subversion/trunk/subversion/libsvn_repos/repos.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/repos.c?rev=1803188&r1=1803187&r2=1803188&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_repos/repos.c (original)
+++ subversion/trunk/subversion/libsvn_repos/repos.c Thu Jul 27 14:08:49 2017
@@ -882,7 +882,7 @@ create_conf(svn_repos_t *repos, apr_pool
 "[sasl]"                                                                     NL
 "### This option specifies whether you want to use the Cyrus SASL"           NL
 "### library for authentication. Default is false."                          NL
-"### This section will be ignored if svnserve is not built with Cyrus"       NL
+"### Enabling this option requires svnserve to have been built with Cyrus"   NL
 "### SASL support; to check, run 'svnserve --version' and look for a line"   NL
 "### reading 'Cyrus SASL authentication is available.'"                      NL
 "# use-sasl = true"                                                          NL

Modified: subversion/trunk/subversion/svnserve/serve.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnserve/serve.c?rev=1803188&r1=1803187&r2=1803188&view=diff
==============================================================================
--- subversion/trunk/subversion/svnserve/serve.c (original)
+++ subversion/trunk/subversion/svnserve/serve.c Thu Jul 27 14:08:49 2017
@@ -3804,6 +3804,7 @@ find_repos(const char *url,
 {
   const char *path, *full_path, *fs_path, *hooks_env;
   svn_stringbuf_t *url_buf;
+  svn_boolean_t sasl_requested;
 
   /* Skip past the scheme and authority part. */
   path = skip_scheme_part(url);
@@ -3877,14 +3878,16 @@ find_repos(const char *url,
   SVN_ERR(load_authz_config(repository, repository->repos_root, cfg,
                             result_pool));
 
-#ifdef SVN_HAVE_SASL
+  /* Should we use Cyrus SASL? */
+  SVN_ERR(svn_config_get_bool(cfg, &sasl_requested,
+                              SVN_CONFIG_SECTION_SASL,
+                              SVN_CONFIG_OPTION_USE_SASL, FALSE));
+  if (sasl_requested)
     {
+#ifdef SVN_HAVE_SASL
       const char *val;
 
-      /* Should we use Cyrus SASL? */
-      SVN_ERR(svn_config_get_bool(cfg, &repository->use_sasl,
-                                  SVN_CONFIG_SECTION_SASL,
-                                  SVN_CONFIG_OPTION_USE_SASL, FALSE));
+      repository->use_sasl = sasl_requested;
 
       svn_config_get(cfg, &val, SVN_CONFIG_SECTION_SASL,
                     SVN_CONFIG_OPTION_MIN_SSF, "0");
@@ -3893,8 +3896,18 @@ find_repos(const char *url,
       svn_config_get(cfg, &val, SVN_CONFIG_SECTION_SASL,
                     SVN_CONFIG_OPTION_MAX_SSF, "256");
       SVN_ERR(svn_cstring_atoui(&repository->max_ssf, val));
+#else /* !SVN_HAVE_SASL */
+      return svn_error_createf(SVN_ERR_BAD_CONFIG_VALUE, NULL,
+                               _("SASL requested but not compiled in; "
+                                 "set '%s' to 'false' or recompile "
+                                 "svnserve with SASL support"),
+                               SVN_CONFIG_OPTION_USE_SASL);
+#endif /* SVN_HAVE_SASL */
+    }
+  else
+    {
+      repository->use_sasl = FALSE;
     }
-#endif
 
   /* Use the repository UUID as the default realm. */
   SVN_ERR(svn_fs_get_uuid(repository->fs, &repository->realm, scratch_pool));