Authz - paths with trailing slash isn't supported - right?

[Paul Hammant <pa...@hammant.org>]

In authz files, [/] is often mentioned as a cross-cutting repo root that
has permissions for users and groups.

There's no other references to a path in square brackets with a trailing
slash. At least, not
in
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html.

That was context, and here's the question or perhaps bug report...

So, administrators of Svn installs should *not* create paths in authz files
with *trailing slashes* - like [/foo/] - right?  I say that because my
attempts to do so yields plenty of unexplainable 403 responses in ordinary
clients like web browsers. Making me think it's a bug.

Or there could be a dev-team view that this is a documentation improvement
issue at this point. Specifically some advice  like "Paths that are
directories don't have trailing slashes in square brackets other than [/]
for the root" added to the above page.

One more thing - Mike Pilato's
http://blogs.collab.net/subversion/authz_and_anon_ article on CollabNet's
blog ... would be great if it were slurped into the SvnBook somehow. Anyone
from Collabnet care to weigh in?

- Paul

Re: Authz - paths with trailing slash isn't supported - right?

[Paul Hammant <pa...@hammant.org>]

>
>
> > Should I raise this in https://issues.apache.org/jira/browse/SVN
> > or not ?
>
> We could clarify the error message by having it refer the admin to the
> server log.  We might also have the error message state "The authz file
> failed to parse" (without details; we'd consider the authz file's path
> and section names to be confidential).
>
> Is that what you had in mind?  Or are you thinking of a larger change,
> e.g., detecting the invalid authz file even before a request is made to
> a repository that uses it (= the invalid authz file)?
>

No, a small informational change, IMO.

Eight years ago in the Selenium team we sprinkled helpful URLs the in
exception messages. Selenium was Java+Python+C#+Ruby+JavaScript back then
and a hard tech to get going with in the view of many. It uses many more
languages since V2. We had and still have lots of noobs wanting to get
running with it, and driving them to a help page if they could see it in
exception messages and logs was a way of reducing questions on mail-lists.

- Paul

Re: Authz - paths with trailing slash isn't supported - right?

[Daniel Shahaf <d....@daniel.shahaf.name>]

Paul Hammant wrote on Sat, 09 Dec 2017 21:54 -0500:
> >
> > The cause of the 403 should be logged on the server side.
> >>
> >
> > It was:
> >
> > [Sat Dec 09 22:24:47.803767 2017] [authz_svn:error] [pid 13] [client
> > 172.17.0.1:35066] Failed to load the mod_authz_svn config: Section name
> > '/foo/a/' contains non-canonical fspath '/foo/a/'
> > [Sat Dec 09 22:24:47.803817 2017] [authz_svn:error] [pid 13] [client
> > 172.17.0.1:35066] Access denied: 'harry' GET foo:/a
> >
> 
> Should an unparsable authz file be communicated in a clearer way than some
> URLs working and some 403ing?

Last I checked, that's not the failure mode.  When the authz file fails
to parse, *all* accesses to the repository result in 403.  That's true
even if the file parses correctly insofar as the .ini ConfigParser
format is concerned, but isn't a valid authz file for other reasons
(e.g., non- canonical paths in section headers).

> Should I raise this in https://issues.apache.org/jira/browse/SVN
> or not ?

We could clarify the error message by having it refer the admin to the
server log.  We might also have the error message state "The authz file
failed to parse" (without details; we'd consider the authz file's path
and section names to be confidential).

Is that what you had in mind?  Or are you thinking of a larger change,
e.g., detecting the invalid authz file even before a request is made to
a repository that uses it (= the invalid authz file)?

Cheers,

Daniel

Re: Authz - paths with trailing slash isn't supported - right?

[Paul Hammant <pa...@hammant.org>]

>
> The cause of the 403 should be logged on the server side.
>>
>
> It was:
>
> [Sat Dec 09 22:24:47.803767 2017] [authz_svn:error] [pid 13] [client
> 172.17.0.1:35066] Failed to load the mod_authz_svn config: Section name
> '/foo/a/' contains non-canonical fspath '/foo/a/'
> [Sat Dec 09 22:24:47.803817 2017] [authz_svn:error] [pid 13] [client
> 172.17.0.1:35066] Access denied: 'harry' GET foo:/a
>

Should an unparsable authz file be communicated in a clearer way than some
URLs working and some 403ing?  Should I raise this in
https://issues.apache.org/jira/browse/SVN or not ?

- Paul

Re: Authz - paths with trailing slash isn't supported - right?

[Paul Hammant <pa...@hammant.org>]

>
>
> No, it's intentional:
>
> https://subversion.apache.org/docs/release-notes/1.8.html#
> authz-fspath-syntax
>
> The cause of the 403 should be logged on the server side.
>

It was:

[Sat Dec 09 22:24:47.803767 2017] [authz_svn:error] [pid 13] [client
172.17.0.1:35066] Failed to load the mod_authz_svn config: Section name
'/foo/a/' contains non-canonical fspath '/foo/a/'
[Sat Dec 09 22:24:47.803817 2017] [authz_svn:error] [pid 13] [client
172.17.0.1:35066] Access denied: 'harry' GET foo:/a



> >.. would be great if it were slurped into the SvnBook somehow. Anyone
> > from Collabnet care to weigh in?
>
> Bug reports against the book should go to svnbook-dev@red-bean.com
>

Wil do.

Re: Authz - paths with trailing slash isn't supported - right?

[Daniel Shahaf <d....@daniel.shahaf.name>]

Paul Hammant wrote on Sat, 09 Dec 2017 16:22 -0500:
> So, administrators of Svn installs should *not* create paths in authz files
> with *trailing slashes* - like [/foo/] - right?  I say that because my
> attempts to do so yields plenty of unexplainable 403 responses in ordinary
> clients like web browsers. Making me think it's a bug.

No, it's intentional:

https://subversion.apache.org/docs/release-notes/1.8.html#authz-fspath-syntax

The cause of the 403 should be logged on the server side.

> Or there could be a dev-team view that this is a documentation improvement
> issue at this point. Specifically some advice  like "Paths that are
> directories don't have trailing slashes in square brackets other than [/]
> for the root" added to the above page.
> 
> One more thing - Mike Pilato's
> http://blogs.collab.net/subversion/authz_and_anon_ article on CollabNet's
> blog ... would be great if it were slurped into the SvnBook somehow. Anyone
> from Collabnet care to weigh in?

Bug reports against the book should go to svnbook-dev@red-bean.com

Re: Authz - paths with trailing slash isn't supported - right?

[Paul Hammant <pa...@hammant.org>]

>
>
> The / on the root is not a trailing slash; it's a leading slash. Paths
> in the authz file must /start/ with a slash.
>

Obvious really, I guess.

Re: Authz - paths with trailing slash isn't supported - right?

[Branko Čibej <br...@apache.org>]

On 09.12.2017 22:22, Paul Hammant wrote:
> Or there could be a dev-team view that this is a documentation
> improvement issue at this point. Specifically some advice  like "Paths
> that are directories don't have trailing slashes in square brackets
> other than [/] for the root" added to the above page.

The / on the root is not a trailing slash; it's a leading slash. Paths
in the authz file must /start/ with a slash.

> One more thing - Mike Pilato's
> http://blogs.collab.net/subversion/authz_and_anon_ article on
> CollabNet's blog ... would be great if it were slurped into the
> SvnBook somehow. Anyone from Collabnet care to weigh in?

You'd best ask the Mike Pilato who's the co-author of The Book about that.

-- Brane

Re: Authz - paths with trailing slash isn't supported - right?

[Mark Phippard <ma...@gmail.com>]

> On Dec 9, 2017, at 4:22 PM, Paul Hammant <pa...@hammant.org> wrote:
> 
> One more thing - Mike Pilato's http://blogs.collab.net/subversion/authz_and_anon_ article on CollabNet's blog ... would be great if it were slurped into the SvnBook somehow. Anyone from Collabnet care to weigh in?

I thought Mike already did? http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html#svn.serverconfig.pathbasedauthz.gotchas

Mark