You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by Garrett Rooney <ro...@electricjellyfish.net> on 2004/07/16 02:07:41 UTC

Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

breser@tigris.org wrote:

> Author: breser
> Date: Thu Jul 15 20:46:07 2004
> New Revision: 10325
> 
> Modified:
>    branches/1.0.x/STATUS
>    branches/1.0.x/subversion/include/svn_config.h
>    branches/1.0.x/subversion/libsvn_subr/config.c
>    branches/1.0.x/subversion/mod_authz_svn/mod_authz_svn.c
> Log:
> Merge r10183, r10184, r10216 onto 1.0.x
> 
> mod_authz_svn security hole:  check access on *whole tree* when authorizing
>                               COPY or DELETE requests.
> 
> Approvedy by: +1: striker, breser, sussman

Sorry, this didn't occur to me before now, but can we merge this to 
1.0.x?  It adds a new function, svn_config_enumerate_sections.  Isn't 
that against our backwards compatability policy because it means you can 
no longer roll back from 1.0.6 to 1.0.5 because something linking 
against 1.0.6 might rely on that function?

-garrett

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

Posted by Sander Striker <st...@apache.org>.

> From: Ben Reser [mailto:ben@reser.org] 
> Sent: Saturday, July 17, 2004 12:33 AM


> Okay this time without the unintentional merge.

Seems to work for me.

Sander


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

Posted by Ben Reser <be...@reser.org>.

On Fri, Jul 16, 2004 at 02:15:55PM -0700, Ben Reser wrote:
> On Fri, Jul 16, 2004 at 10:47:35PM +0200, Sander Striker wrote:
> > > From: Ben Reser [mailto:ben@reser.org] 
> > > Sent: Friday, July 16, 2004 10:21 PM
> > 
> > [...]
> > > > You're right we can't.  Sander would you write a version of this 
> > > > against 1.0.x without r10325 that doesn't add a new 
> > > function?  I'd do 
> > > > it myself but I figure you have a better setup for testing this.
> > > 
> > > Attached is a copy of a PATCH of this merge that renames the 
> > > enumerate_sections function to be out of our public API.  Can 
> > > people please review and I'll cut 1.0.6. :)
> > 
> > Note that this patch includes the authz file caching as well, which
> > has been proposed for backport at a previous release but hadn't
> > made it.
> 
> Ack darn conflicts...  Must have picked it up when I resolved the
> conflicts.

Okay this time without the unintentional merge.

-- 
Ben Reser <be...@reser.org>
http://ben.reser.org

"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken

Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

Posted by Ben Reser <be...@reser.org>.

On Fri, Jul 16, 2004 at 10:47:35PM +0200, Sander Striker wrote:
> > From: Ben Reser [mailto:ben@reser.org] 
> > Sent: Friday, July 16, 2004 10:21 PM
> 
> [...]
> > > You're right we can't.  Sander would you write a version of this 
> > > against 1.0.x without r10325 that doesn't add a new 
> > function?  I'd do 
> > > it myself but I figure you have a better setup for testing this.
> > 
> > Attached is a copy of a PATCH of this merge that renames the 
> > enumerate_sections function to be out of our public API.  Can 
> > people please review and I'll cut 1.0.6. :)
> 
> Note that this patch includes the authz file caching as well, which
> has been proposed for backport at a previous release but hadn't
> made it.

Ack darn conflicts...  Must have picked it up when I resolved the
conflicts.

-- 
Ben Reser <be...@reser.org>
http://ben.reser.org

"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

RE: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

Posted by Sander Striker <st...@apache.org>.

> From: Ben Reser [mailto:ben@reser.org] 
> Sent: Friday, July 16, 2004 10:21 PM

[...]
> > You're right we can't.  Sander would you write a version of this 
> > against 1.0.x without r10325 that doesn't add a new 
> function?  I'd do 
> > it myself but I figure you have a better setup for testing this.
> 
> Attached is a copy of a PATCH of this merge that renames the 
> enumerate_sections function to be out of our public API.  Can 
> people please review and I'll cut 1.0.6. :)

Note that this patch includes the authz file caching as well, which
has been proposed for backport at a previous release but hadn't
made it.

Sander


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

Posted by Ben Reser <be...@reser.org>.

On Thu, Jul 15, 2004 at 07:54:05PM -0700, Ben Reser wrote:
> On Thu, Jul 15, 2004 at 10:07:41PM -0400, Garrett Rooney wrote:
> > breser@tigris.org wrote:
> > 
> > >Author: breser
> > >Date: Thu Jul 15 20:46:07 2004
> > >New Revision: 10325
> > >
> > >Modified:
> > >   branches/1.0.x/STATUS
> > >   branches/1.0.x/subversion/include/svn_config.h
> > >   branches/1.0.x/subversion/libsvn_subr/config.c
> > >   branches/1.0.x/subversion/mod_authz_svn/mod_authz_svn.c
> > >Log:
> > >Merge r10183, r10184, r10216 onto 1.0.x
> > >
> > >mod_authz_svn security hole:  check access on *whole tree* when authorizing
> > >                              COPY or DELETE requests.
> > >
> > >Approvedy by: +1: striker, breser, sussman
> > 
> > Sorry, this didn't occur to me before now, but can we merge this to 
> > 1.0.x?  It adds a new function, svn_config_enumerate_sections.  Isn't 
> > that against our backwards compatability policy because it means you can 
> > no longer roll back from 1.0.6 to 1.0.5 because something linking 
> > against 1.0.6 might rely on that function?
> 
> You're right we can't.  Sander would you write a version of this against
> 1.0.x without r10325 that doesn't add a new function?  I'd do it myself
> but I figure you have a better setup for testing this.

Attached is a copy of a PATCH of this merge that renames the
enumerate_sections function to be out of our public API.  Can people
please review and I'll cut 1.0.6. :)

-- 
Ben Reser <be...@reser.org>
http://ben.reser.org

"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken

Re: svn commit: r10325 - in branches/1.0.x: . subversion/include subversion/libsvn_subr subversion/mod_authz_svn

Posted by Ben Reser <be...@reser.org>.

On Thu, Jul 15, 2004 at 10:07:41PM -0400, Garrett Rooney wrote:
> breser@tigris.org wrote:
> 
> >Author: breser
> >Date: Thu Jul 15 20:46:07 2004
> >New Revision: 10325
> >
> >Modified:
> >   branches/1.0.x/STATUS
> >   branches/1.0.x/subversion/include/svn_config.h
> >   branches/1.0.x/subversion/libsvn_subr/config.c
> >   branches/1.0.x/subversion/mod_authz_svn/mod_authz_svn.c
> >Log:
> >Merge r10183, r10184, r10216 onto 1.0.x
> >
> >mod_authz_svn security hole:  check access on *whole tree* when authorizing
> >                              COPY or DELETE requests.
> >
> >Approvedy by: +1: striker, breser, sussman
> 
> Sorry, this didn't occur to me before now, but can we merge this to 
> 1.0.x?  It adds a new function, svn_config_enumerate_sections.  Isn't 
> that against our backwards compatability policy because it means you can 
> no longer roll back from 1.0.6 to 1.0.5 because something linking 
> against 1.0.6 might rely on that function?

You're right we can't.  Sander would you write a version of this against
1.0.x without r10325 that doesn't add a new function?  I'd do it myself
but I figure you have a better setup for testing this.

-- 
Ben Reser <be...@reser.org>
http://ben.reser.org

"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org