You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Garrett Rooney <ro...@electricjellyfish.net> on 2004/07/16 02:07:41 UTC
Re: svn commit: r10325 - in branches/1.0.x: . subversion/include
subversion/libsvn_subr subversion/mod_authz_svn
breser@tigris.org wrote:
> Author: breser
> Date: Thu Jul 15 20:46:07 2004
> New Revision: 10325
>
> Modified:
> branches/1.0.x/STATUS
> branches/1.0.x/subversion/include/svn_config.h
> branches/1.0.x/subversion/libsvn_subr/config.c
> branches/1.0.x/subversion/mod_authz_svn/mod_authz_svn.c
> Log:
> Merge r10183, r10184, r10216 onto 1.0.x
>
> mod_authz_svn security hole: check access on *whole tree* when authorizing
> COPY or DELETE requests.
>
> Approvedy by: +1: striker, breser, sussman
Sorry, this didn't occur to me before now, but can we merge this to
1.0.x? It adds a new function, svn_config_enumerate_sections. Isn't
that against our backwards compatability policy because it means you can
no longer roll back from 1.0.6 to 1.0.5 because something linking
against 1.0.6 might rely on that function?
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn
Posted by Sander Striker <st...@apache.org>.
> From: Ben Reser [mailto:ben@reser.org]
> Sent: Saturday, July 17, 2004 12:33 AM
> Okay this time without the unintentional merge.
Seems to work for me.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn
Posted by Ben Reser <be...@reser.org>.
On Fri, Jul 16, 2004 at 02:15:55PM -0700, Ben Reser wrote:
> On Fri, Jul 16, 2004 at 10:47:35PM +0200, Sander Striker wrote:
> > > From: Ben Reser [mailto:ben@reser.org]
> > > Sent: Friday, July 16, 2004 10:21 PM
> >
> > [...]
> > > > You're right we can't. Sander would you write a version of this
> > > > against 1.0.x without r10325 that doesn't add a new
> > > function? I'd do
> > > > it myself but I figure you have a better setup for testing this.
> > >
> > > Attached is a copy of a PATCH of this merge that renames the
> > > enumerate_sections function to be out of our public API. Can
> > > people please review and I'll cut 1.0.6. :)
> >
> > Note that this patch includes the authz file caching as well, which
> > has been proposed for backport at a previous release but hadn't
> > made it.
>
> Ack darn conflicts... Must have picked it up when I resolved the
> conflicts.
Okay this time without the unintentional merge.
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn
Posted by Ben Reser <be...@reser.org>.
On Fri, Jul 16, 2004 at 10:47:35PM +0200, Sander Striker wrote:
> > From: Ben Reser [mailto:ben@reser.org]
> > Sent: Friday, July 16, 2004 10:21 PM
>
> [...]
> > > You're right we can't. Sander would you write a version of this
> > > against 1.0.x without r10325 that doesn't add a new
> > function? I'd do
> > > it myself but I figure you have a better setup for testing this.
> >
> > Attached is a copy of a PATCH of this merge that renames the
> > enumerate_sections function to be out of our public API. Can
> > people please review and I'll cut 1.0.6. :)
>
> Note that this patch includes the authz file caching as well, which
> has been proposed for backport at a previous release but hadn't
> made it.
Ack darn conflicts... Must have picked it up when I resolved the
conflicts.
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn
Posted by Sander Striker <st...@apache.org>.
> From: Ben Reser [mailto:ben@reser.org]
> Sent: Friday, July 16, 2004 10:21 PM
[...]
> > You're right we can't. Sander would you write a version of this
> > against 1.0.x without r10325 that doesn't add a new
> function? I'd do
> > it myself but I figure you have a better setup for testing this.
>
> Attached is a copy of a PATCH of this merge that renames the
> enumerate_sections function to be out of our public API. Can
> people please review and I'll cut 1.0.6. :)
Note that this patch includes the authz file caching as well, which
has been proposed for backport at a previous release but hadn't
made it.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn
Posted by Ben Reser <be...@reser.org>.
On Thu, Jul 15, 2004 at 07:54:05PM -0700, Ben Reser wrote:
> On Thu, Jul 15, 2004 at 10:07:41PM -0400, Garrett Rooney wrote:
> > breser@tigris.org wrote:
> >
> > >Author: breser
> > >Date: Thu Jul 15 20:46:07 2004
> > >New Revision: 10325
> > >
> > >Modified:
> > > branches/1.0.x/STATUS
> > > branches/1.0.x/subversion/include/svn_config.h
> > > branches/1.0.x/subversion/libsvn_subr/config.c
> > > branches/1.0.x/subversion/mod_authz_svn/mod_authz_svn.c
> > >Log:
> > >Merge r10183, r10184, r10216 onto 1.0.x
> > >
> > >mod_authz_svn security hole: check access on *whole tree* when authorizing
> > > COPY or DELETE requests.
> > >
> > >Approvedy by: +1: striker, breser, sussman
> >
> > Sorry, this didn't occur to me before now, but can we merge this to
> > 1.0.x? It adds a new function, svn_config_enumerate_sections. Isn't
> > that against our backwards compatability policy because it means you can
> > no longer roll back from 1.0.6 to 1.0.5 because something linking
> > against 1.0.6 might rely on that function?
>
> You're right we can't. Sander would you write a version of this against
> 1.0.x without r10325 that doesn't add a new function? I'd do it myself
> but I figure you have a better setup for testing this.
Attached is a copy of a PATCH of this merge that renames the
enumerate_sections function to be out of our public API. Can people
please review and I'll cut 1.0.6. :)
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn
Posted by Ben Reser <be...@reser.org>.
On Thu, Jul 15, 2004 at 10:07:41PM -0400, Garrett Rooney wrote:
> breser@tigris.org wrote:
>
> >Author: breser
> >Date: Thu Jul 15 20:46:07 2004
> >New Revision: 10325
> >
> >Modified:
> > branches/1.0.x/STATUS
> > branches/1.0.x/subversion/include/svn_config.h
> > branches/1.0.x/subversion/libsvn_subr/config.c
> > branches/1.0.x/subversion/mod_authz_svn/mod_authz_svn.c
> >Log:
> >Merge r10183, r10184, r10216 onto 1.0.x
> >
> >mod_authz_svn security hole: check access on *whole tree* when authorizing
> > COPY or DELETE requests.
> >
> >Approvedy by: +1: striker, breser, sussman
>
> Sorry, this didn't occur to me before now, but can we merge this to
> 1.0.x? It adds a new function, svn_config_enumerate_sections. Isn't
> that against our backwards compatability policy because it means you can
> no longer roll back from 1.0.6 to 1.0.5 because something linking
> against 1.0.6 might rely on that function?
You're right we can't. Sander would you write a version of this against
1.0.x without r10325 that doesn't add a new function? I'd do it myself
but I figure you have a better setup for testing this.
--
Ben Reser <be...@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org