You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Freek Dijkstra <pu...@macfreek.nl> on 2007/07/08 18:08:49 UTC
svn co ignores subfolders with restricted access
Hi,
I seem to have a problem with my svn client.
Summary: "svn checkout" ignores subfolders with restricted access, even
when I provide proper authentication. It works fine for the root folder;
only subfolders give problems.
I've got a repository set up as follows:
* The root is accessible as anonymous:
https://svn.uva.netherlight.nl/projects/ndl/
(check out yourself; you should be able to see this)
* One of the subfolders is only accessible for certain authorized users:
https://svn.uva.netherlight.nl/projects/ndl/Articles/
(check out yourself; you should get a 401 result)
with the svn client (I tested versions 1.4.0 and 1.4.2), I can indeed
read the above:
% svn https://svn.uva.netherlight.nl/projects/ndl/
gives me all except the restricted access folders, without warnings.
This is expected.
% svn --username myaccount --password verysecret \
https://svn.uva.netherlight.nl/projects/ndl/Articles/
(with obviously correct username and password)
indeed gives met this non-public subfolder.
Again, as expected.
% svn --username myaccount --password verysecret \
https://svn.uva.netherlight.nl/projects/ndl/
Does get me exactly the same as when I did not give a username and
password, and ignores the Articles subfolder.
This is not what I expected: I expected that the subfolders would be
downloaded as well, as I did provide proper authentication.
Is this intended behaviour or a bug? I searched the list archive to find
simular problems, but all I could find were questions about setting up
the server (which seems fine here).
Unfortunately, debugging is hard as svn checkout does not have a
--verbose option, and I can not snoop on the actual HTTPS queries on the
wire, as HTTPS is encrypted.
Regards,
Freek Dijkstra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn co ignores subfolders with restricted access
Posted by Freek Dijkstra <pu...@macfreek.nl>.
PS: I forgot to mention the versions I used:
subversion client: 1.4.0 (r21228), also tested with 1.4.2
subversion server: 1.4.0 (r21228), also tested with 1.3.0
neon (HTTP client): 0.25.5
Apache (HTTP server): 2.2.3
Regards,
Freek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn co ignores subfolders with restricted access
Posted by Freek Dijkstra <pu...@macfreek.nl>.
Matt Sickler wrote:
> I didnt really read any of that, but my point is: svn does not, and
> has never checked .htaccess *anywhere*
I know. My point is that is has nothing to do with it (as I even said),
and that I am talking about a genuine bug. I hope that a developer can
comment on it, and reproduce it. In my previous mail are the steps to
reproduce it.
Regards,
Freek
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn co ignores subfolders with restricted access
Posted by Matt Sickler <cr...@gmail.com>.
I didnt really read any of that, but my point is: svn does not, and
has never checked .htaccess *anywhere*
On 7/10/07, Freek Dijkstra <pu...@macfreek.nl> wrote:
> Lakshman, Matt,
>
> Thanks for your reply. It encoureaged me to look further.
> .htaccess hass nothing to do with it. It turns out to be a bug in the
> design of subversion. Basically, subversion checkout ALWAYS tries to
> download the root folder without authentication, then gets a result,
> including a statement that one of the subfolders is unreadable (as
> anonymous), and never tries to fetch it with the given credentials.
>
> This is plain and simple a bug in subversion.
>
> So, where can I submit bug reports?
>
> I just replicated the bug on a repository with HTTP instead of HTTPS, so
> I could monitor the raw HTTP traffic.
>
> Summary:
> For webdav based repositories, subversion checkout ignores restricted
> subfolders in a repository if the root folder is anonymously accessible.
> Even if proper authentication is given.
>
> Steps to reproduce:
> 1. Set up Apache with SVN and webdav. I simply took a fresh Debian
> install with the libapache2-svn packages (and relevant dependencies).
> 2. Set up a new repository with anonymously accessible root, and
> restricted subfolder. E.g., with this configuration:
> ---- httpd.conf: ---------------------------------------------
> ServerName www.example.com
> <Location /svn>
> DAV svn
> SVNParentPath /var/data/svn
> AuthType Basic
> AuthName "Subversion Repository"
> AuthUserFile /etc/apache2/dav_svn.passwd
> order allow,deny
> allow from all
> Require valid-user
> Satisfy Any
> AuthzSVNAccessFile /etc/apache2/dav_svn.acl
> </Location>
> ----------------------------------------------------------------
> ---- dav_svn.acl: --------------------------------------------
> [myrepos:/]
> auser = rw
> * = r
>
> [myrepos:/restrictedsubfolder]
> auser = rw
> * =
> ----------------------------------------------------------------
> 3. Do a checkout as user "auser":
> svn checkout --user auser --password secret \
> http://www.example.com/svn/myrepos
>
> Expected result:
> I expect that the whole myrepos repository would be checkout out,
> including the restrictedsubfolder, as that is readable by auser.
>
> Actual result:
> All of the repository is checked out as anonymous, and the
> restrictedsubfolder is completely ignored.
>
> Regression:
> The commands and provided username/password are correct. In fact, here
> is an excerpt form the Apache log file:
> Anonymous checkout of root folder: OK (HTTP 207 result):
> 192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 207
> 665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
> Anonymous checkout of restrictedsubfolder: Disallowed (HTTP 401 result):
> 192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 401
> 560 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
> Authenticated checkout of root folder: OK (HTTP 207 result):
> 192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
> 665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
> Authenticated checkout of restrictedsubfolder OK (HTTP 207 result):
> 192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
> 665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
>
> In fact, I even further analysed the raw HTTP
> data. This is what happens for a restricted access root folder, if you
> provide authentication:
> * the subversion client access the HTTP page without authentication
> * the server responds with a 401 result (Need authentication)
> * the subversion client retries with authentication
> * the server responds with a 207 result (OK)
> * The repository metadata and a list of files is downloaded
>
> Now, this is what happens for a publically accessible root folder, if
> you provide authentications:
> * the subversion client access the HTTP page without authentication
> * the server responds with a 207 result (OK)
> * The repository metadata and a partial list of files is downloaded
>
> The list of downloaded file is PARTIAL, because it contains this data
> (excerpt of the full XML transcript):
> <S:absent-directory name="restrictedsubfolder"/>
> <S:add-directory name="publicsubfolder"
> bc-url="/svn/myrepos/!svn/bc/7/publicsubfolder">
> <D:checked-in><D:href>
> /svn/myrepos/!svn/ver/7/publicsubfolder
> </D:href></D:checked-in>
>
> So the restricted access subfolder is marked as "absent-directory". That
> is true in this context, as the subversion client never provided
> authentication. However, it means that the client will also never
> attempt to download the data, despite that proper authentication was
> given on the command line!
>
> Regards,
> Freek Dijkstra
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn co ignores subfolders with restricted access
Posted by Freek Dijkstra <pu...@macfreek.nl>.
Lakshman, Matt,
Thanks for your reply. It encoureaged me to look further.
.htaccess hass nothing to do with it. It turns out to be a bug in the
design of subversion. Basically, subversion checkout ALWAYS tries to
download the root folder without authentication, then gets a result,
including a statement that one of the subfolders is unreadable (as
anonymous), and never tries to fetch it with the given credentials.
This is plain and simple a bug in subversion.
So, where can I submit bug reports?
I just replicated the bug on a repository with HTTP instead of HTTPS, so
I could monitor the raw HTTP traffic.
Summary:
For webdav based repositories, subversion checkout ignores restricted
subfolders in a repository if the root folder is anonymously accessible.
Even if proper authentication is given.
Steps to reproduce:
1. Set up Apache with SVN and webdav. I simply took a fresh Debian
install with the libapache2-svn packages (and relevant dependencies).
2. Set up a new repository with anonymously accessible root, and
restricted subfolder. E.g., with this configuration:
---- httpd.conf: ---------------------------------------------
ServerName www.example.com
<Location /svn>
DAV svn
SVNParentPath /var/data/svn
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/apache2/dav_svn.passwd
order allow,deny
allow from all
Require valid-user
Satisfy Any
AuthzSVNAccessFile /etc/apache2/dav_svn.acl
</Location>
----------------------------------------------------------------
---- dav_svn.acl: --------------------------------------------
[myrepos:/]
auser = rw
* = r
[myrepos:/restrictedsubfolder]
auser = rw
* =
----------------------------------------------------------------
3. Do a checkout as user "auser":
svn checkout --user auser --password secret \
http://www.example.com/svn/myrepos
Expected result:
I expect that the whole myrepos repository would be checkout out,
including the restrictedsubfolder, as that is readable by auser.
Actual result:
All of the repository is checked out as anonymous, and the
restrictedsubfolder is completely ignored.
Regression:
The commands and provided username/password are correct. In fact, here
is an excerpt form the Apache log file:
Anonymous checkout of root folder: OK (HTTP 207 result):
192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 207
665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Anonymous checkout of restrictedsubfolder: Disallowed (HTTP 401 result):
192.0.2.34 - - "PROPFIND /svn/myrepos HTTP/1.1" 401
560 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Authenticated checkout of root folder: OK (HTTP 207 result):
192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
Authenticated checkout of restrictedsubfolder OK (HTTP 207 result):
192.0.2.34 - auser - "PROPFIND /svn/myrepos HTTP/1.1" 207
665 "-" "SVN/1.4.0 (r21228) neon/0.25.5"
In fact, I even further analysed the raw HTTP
data. This is what happens for a restricted access root folder, if you
provide authentication:
* the subversion client access the HTTP page without authentication
* the server responds with a 401 result (Need authentication)
* the subversion client retries with authentication
* the server responds with a 207 result (OK)
* The repository metadata and a list of files is downloaded
Now, this is what happens for a publically accessible root folder, if
you provide authentications:
* the subversion client access the HTTP page without authentication
* the server responds with a 207 result (OK)
* The repository metadata and a partial list of files is downloaded
The list of downloaded file is PARTIAL, because it contains this data
(excerpt of the full XML transcript):
<S:absent-directory name="restrictedsubfolder"/>
<S:add-directory name="publicsubfolder"
bc-url="/svn/myrepos/!svn/bc/7/publicsubfolder">
<D:checked-in><D:href>
/svn/myrepos/!svn/ver/7/publicsubfolder
</D:href></D:checked-in>
So the restricted access subfolder is marked as "absent-directory". That
is true in this context, as the subversion client never provided
authentication. However, it means that the client will also never
attempt to download the data, despite that proper authentication was
given on the command line!
Regards,
Freek Dijkstra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: svn co ignores subfolders with restricted access
Posted by Matt Sickler <cr...@gmail.com>.
how can you have a .htaccess in the svn folder?
On 7/9/07, Srilakshmanan, Lakshman
<la...@police.vic.gov.au> wrote:
> Hi,
>
> This is only a stab in the dark, but do you have a ".htaccess" file in
> the folders you are having issues with ?
>
> Thanks
> Lakshman
>
>
> -----Original Message-----
> From: Freek Dijkstra [mailto:public@macfreek.nl]
> Sent: Monday, 9 July 2007 4:09 AM
> To: users@subversion.tigris.org
> Subject: svn co ignores subfolders with restricted access
>
> Hi,
>
> I seem to have a problem with my svn client.
> Summary: "svn checkout" ignores subfolders with restricted access, even
> when I provide proper authentication. It works fine for the root folder;
> only subfolders give problems.
>
> I've got a repository set up as follows:
>
> * The root is accessible as anonymous:
> https://svn.uva.netherlight.nl/projects/ndl/
> (check out yourself; you should be able to see this)
>
> * One of the subfolders is only accessible for certain authorized users:
> https://svn.uva.netherlight.nl/projects/ndl/Articles/
> (check out yourself; you should get a 401 result)
>
> with the svn client (I tested versions 1.4.0 and 1.4.2), I can indeed
> read the above:
> % svn https://svn.uva.netherlight.nl/projects/ndl/
> gives me all except the restricted access folders, without warnings.
> This is expected.
>
> % svn --username myaccount --password verysecret \
> https://svn.uva.netherlight.nl/projects/ndl/Articles/
> (with obviously correct username and password) indeed gives met this
> non-public subfolder.
> Again, as expected.
>
> % svn --username myaccount --password verysecret \
> https://svn.uva.netherlight.nl/projects/ndl/
> Does get me exactly the same as when I did not give a username and
> password, and ignores the Articles subfolder.
>
> This is not what I expected: I expected that the subfolders would be
> downloaded as well, as I did provide proper authentication.
>
> Is this intended behaviour or a bug? I searched the list archive to find
> simular problems, but all I could find were questions about setting up
> the server (which seems fine here).
>
> Unfortunately, debugging is hard as svn checkout does not have a
> --verbose option, and I can not snoop on the actual HTTPS queries on the
> wire, as HTTPS is encrypted.
>
> Regards,
> Freek Dijkstra
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
> =======================================================
> The information contained in this email and any files attached may
> be confidential information to the intended recipient and may be
> the subject of legal professional privilege or public interest immunity.
>
> If you are not the intended recipient, any use, disclosure or copying is
> unauthorised.
>
> If you have received this document in error please telephone 1300 307 082
>
> *******************************************************************
> This footnote also confirms that this email message has been swept
> for the presence of computer viruses.
> *******************************************************************
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
RE: svn co ignores subfolders with restricted access
Posted by "Srilakshmanan, Lakshman" <la...@police.vic.gov.au>.
Hi,
This is only a stab in the dark, but do you have a ".htaccess" file in
the folders you are having issues with ?
Thanks
Lakshman
-----Original Message-----
From: Freek Dijkstra [mailto:public@macfreek.nl]
Sent: Monday, 9 July 2007 4:09 AM
To: users@subversion.tigris.org
Subject: svn co ignores subfolders with restricted access
Hi,
I seem to have a problem with my svn client.
Summary: "svn checkout" ignores subfolders with restricted access, even
when I provide proper authentication. It works fine for the root folder;
only subfolders give problems.
I've got a repository set up as follows:
* The root is accessible as anonymous:
https://svn.uva.netherlight.nl/projects/ndl/
(check out yourself; you should be able to see this)
* One of the subfolders is only accessible for certain authorized users:
https://svn.uva.netherlight.nl/projects/ndl/Articles/
(check out yourself; you should get a 401 result)
with the svn client (I tested versions 1.4.0 and 1.4.2), I can indeed
read the above:
% svn https://svn.uva.netherlight.nl/projects/ndl/
gives me all except the restricted access folders, without warnings.
This is expected.
% svn --username myaccount --password verysecret \
https://svn.uva.netherlight.nl/projects/ndl/Articles/
(with obviously correct username and password) indeed gives met this
non-public subfolder.
Again, as expected.
% svn --username myaccount --password verysecret \
https://svn.uva.netherlight.nl/projects/ndl/
Does get me exactly the same as when I did not give a username and
password, and ignores the Articles subfolder.
This is not what I expected: I expected that the subfolders would be
downloaded as well, as I did provide proper authentication.
Is this intended behaviour or a bug? I searched the list archive to find
simular problems, but all I could find were questions about setting up
the server (which seems fine here).
Unfortunately, debugging is hard as svn checkout does not have a
--verbose option, and I can not snoop on the actual HTTPS queries on the
wire, as HTTPS is encrypted.
Regards,
Freek Dijkstra
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
=======================================================
The information contained in this email and any files attached may
be confidential information to the intended recipient and may be
the subject of legal professional privilege or public interest immunity.
If you are not the intended recipient, any use, disclosure or copying is
unauthorised.
If you have received this document in error please telephone 1300 307 082
*******************************************************************
This footnote also confirms that this email message has been swept
for the presence of computer viruses.
*******************************************************************
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org