You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by da...@apache.org on 2017/07/27 14:08:50 UTC
svn commit: r1803188 - in /subversion/trunk: notes/api-errata/1.10/
notes/api-errata/1.10/svnserve001.txt subversion/libsvn_repos/repos.c
subversion/svnserve/serve.c
Author: danielsh
Date: Thu Jul 27 14:08:49 2017
New Revision: 1803188
URL: http://svn.apache.org/viewvc?rev=1803188&view=rev
Log:
svnserve: Make use-sasl=true a fatal error in SASL-less builds.
As a side effect, this revision also stops explicitly initializing 'min_ssf'
and 'max_ssf' in non-SASL mode.
This patch was tracked as SVN-4629.
* subversion/svnserve/serve.c
(find_repos): Check 'use-sasl' in SASL-less builds, too.
* subversion/libsvn_repos/repos.c
(create_conf): Update documentation.
* notes/api-errata/1.10/: New.
* notes/api-errata/1.10/svnserve001.txt: New.
Added:
subversion/trunk/notes/api-errata/1.10/
subversion/trunk/notes/api-errata/1.10/svnserve001.txt (with props)
Modified:
subversion/trunk/subversion/libsvn_repos/repos.c
subversion/trunk/subversion/svnserve/serve.c
Added: subversion/trunk/notes/api-errata/1.10/svnserve001.txt
URL: http://svn.apache.org/viewvc/subversion/trunk/notes/api-errata/1.10/svnserve001.txt?rev=1803188&view=auto
==============================================================================
--- subversion/trunk/notes/api-errata/1.10/svnserve001.txt (added)
+++ subversion/trunk/notes/api-errata/1.10/svnserve001.txt Thu Jul 27 14:08:49 2017
@@ -0,0 +1,39 @@
+API ERRATA -- $Id$
+
+Root Cause of Errata: design error
+ Library(s) Affected: svnserve.conf
+Function(s) Affected: the 'use-sasl' configuration knob
+ New Behavior in: 1.10
+
+== Details ==
+
+The documentation of the '[sasl]' section and the 'use-sasl' option in
+svnserve.conf promised that that section would be ignored by Subversion builds
+compiled without SASL support.
+
+That behaviour violated the principle of least surprise and could lead to
+incorrect authentication and authorization settings being used, if an svnserve
+compiled without SASL support was inadvertently used with an svnserve.conf
+file specifying 'use-sasl = true'.
+
+svnserve has been changed to decline to serve a repository, if svnserve.conf
+contains the setting 'use-sasl = true' and SASL support was not compiled in.
+
+
+== Impact on API Users ==
+
+Subversion builds compiled with SASL support will have no change in behaviour.
+
+Subversion builds compiled without SASL support will now decline to serve
+repositories when the svnserve.conf config file sets 'use-sasl = true' in the
+'[sasl]' section. Such repositories may set 'use-sasl = false' to restore the
+effective 1.9 behaviour, or recompile svnserve with SASL support to use SASL
+transport.
+
+If 'use-sasl' is not explicitly set (commented out), it defaults to 'false'.
+Installations using this setting are unaffected, regardless of svnserve compile
+options.
+
+The default location of svnserve.conf is REPOS_DIR/conf/svnserve.conf on the
+server (the file is not versioned), but this may be changed via the
+'--config-file' command-line option.
Propchange: subversion/trunk/notes/api-errata/1.10/svnserve001.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: subversion/trunk/notes/api-errata/1.10/svnserve001.txt
------------------------------------------------------------------------------
svn:keywords = Id
Modified: subversion/trunk/subversion/libsvn_repos/repos.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/repos.c?rev=1803188&r1=1803187&r2=1803188&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_repos/repos.c (original)
+++ subversion/trunk/subversion/libsvn_repos/repos.c Thu Jul 27 14:08:49 2017
@@ -882,7 +882,7 @@ create_conf(svn_repos_t *repos, apr_pool
"[sasl]" NL
"### This option specifies whether you want to use the Cyrus SASL" NL
"### library for authentication. Default is false." NL
-"### This section will be ignored if svnserve is not built with Cyrus" NL
+"### Enabling this option requires svnserve to have been built with Cyrus" NL
"### SASL support; to check, run 'svnserve --version' and look for a line" NL
"### reading 'Cyrus SASL authentication is available.'" NL
"# use-sasl = true" NL
Modified: subversion/trunk/subversion/svnserve/serve.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnserve/serve.c?rev=1803188&r1=1803187&r2=1803188&view=diff
==============================================================================
--- subversion/trunk/subversion/svnserve/serve.c (original)
+++ subversion/trunk/subversion/svnserve/serve.c Thu Jul 27 14:08:49 2017
@@ -3804,6 +3804,7 @@ find_repos(const char *url,
{
const char *path, *full_path, *fs_path, *hooks_env;
svn_stringbuf_t *url_buf;
+ svn_boolean_t sasl_requested;
/* Skip past the scheme and authority part. */
path = skip_scheme_part(url);
@@ -3877,14 +3878,16 @@ find_repos(const char *url,
SVN_ERR(load_authz_config(repository, repository->repos_root, cfg,
result_pool));
-#ifdef SVN_HAVE_SASL
+ /* Should we use Cyrus SASL? */
+ SVN_ERR(svn_config_get_bool(cfg, &sasl_requested,
+ SVN_CONFIG_SECTION_SASL,
+ SVN_CONFIG_OPTION_USE_SASL, FALSE));
+ if (sasl_requested)
{
+#ifdef SVN_HAVE_SASL
const char *val;
- /* Should we use Cyrus SASL? */
- SVN_ERR(svn_config_get_bool(cfg, &repository->use_sasl,
- SVN_CONFIG_SECTION_SASL,
- SVN_CONFIG_OPTION_USE_SASL, FALSE));
+ repository->use_sasl = sasl_requested;
svn_config_get(cfg, &val, SVN_CONFIG_SECTION_SASL,
SVN_CONFIG_OPTION_MIN_SSF, "0");
@@ -3893,8 +3896,18 @@ find_repos(const char *url,
svn_config_get(cfg, &val, SVN_CONFIG_SECTION_SASL,
SVN_CONFIG_OPTION_MAX_SSF, "256");
SVN_ERR(svn_cstring_atoui(&repository->max_ssf, val));
+#else /* !SVN_HAVE_SASL */
+ return svn_error_createf(SVN_ERR_BAD_CONFIG_VALUE, NULL,
+ _("SASL requested but not compiled in; "
+ "set '%s' to 'false' or recompile "
+ "svnserve with SASL support"),
+ SVN_CONFIG_OPTION_USE_SASL);
+#endif /* SVN_HAVE_SASL */
+ }
+ else
+ {
+ repository->use_sasl = FALSE;
}
-#endif
/* Use the repository UUID as the default realm. */
SVN_ERR(svn_fs_get_uuid(repository->fs, &repository->realm, scratch_pool));