Index: subversion-1.10.0/subversion/mod_authz_svn/mod_authz_svn.c
===================================================================
--- subversion-1.10.0.orig/subversion/mod_authz_svn/mod_authz_svn.c
+++ subversion-1.10.0/subversion/mod_authz_svn/mod_authz_svn.c
@@ -38,6 +38,16 @@
 #include <apr_lib.h>
 #include <mod_dav.h>

+#if ( AP_SERVER_MAJORVERSION_NUMBER * 10 + AP_SERVER_MINORVERSION_NUMBER ) > 23
+# define HAVE_AP_24 1
+# else
+# define HAVE_AP_24 0
+#endif
+
+#if HAVE_AP_24
+#include "mod_auth.h"
+#endif
+
 #include "mod_dav_svn.h"
 #include "mod_authz_svn.h"
 #include "svn_path.h"
@@ -84,6 +94,11 @@ typedef struct authz_svn_config_rec {
   const char *force_username_case;
 } authz_svn_config_rec;

+
+
+#if HAVE_AP_24
+
+#else
 /* version where ap_some_auth_required breaks */
 #if AP_MODULE_MAGIC_AT_LEAST(20060110,0)
 /* first version with force_authn hook and ap_some_authn_required()
@@ -105,6 +120,7 @@ typedef struct authz_svn_config_rec {
    /* old enough that ap_some_auth_required() still works */
 #  define USE_FORCE_AUTHN 0
 #endif
+#endif

 /*
  * Configuration
@@ -876,6 +892,88 @@ subreq_bypass(request_rec *r,
  * Hooks
  */

+
+
+#if HAVE_AP_24
+
+static authz_status svnpath_check_authorization(request_rec *r,
+                                                   const char *require_args,
+                                                   const void *parsed_require_args)
+{
+  authz_svn_config_rec *conf = ap_get_module_config(r->per_dir_config,
+                                                    &authz_svn_module);
+  const char *repos_path = NULL;
+  const char *dest_repos_path = NULL;
+  int status;
+
+  /* Use the force_authn() hook available in 2.4.x to work securely
+   * given that ap_some_auth_required() is no longer functional for our
+   * purposes in 2.4.x.
+   */
+  int authn_configured;
+
+  /* We are not configured to run */
+  if (! (conf->access_file || conf->repo_relative_access_file))
+    return AUTHZ_GENERAL_ERROR;
+
+  /* See if authentication is configured */
+
+  authn_configured = ap_auth_type(r) != NULL;
+
+  /* ap_auth_type: Returns the authentication type (as set by the AuthType directive) for the request r. Currently this should only be Basic, Digest, or NULL. */
+
+  if (!r->user) {
+    if (authn_configured && !conf->anonymous) {
+      /* We need an user because don't allow anonymous access */
+      return AUTHZ_DENIED_NO_USER;
+    }
+    else if (!authn_configured && !conf->anonymous) {
+      /* There is no auth defined and we don't allow anonymous */
+      return AUTHZ_DENIED;
+    }
+  }
+
+  /* Now we have an user (r->user) or we don't but want anonymous access (!authn_configured && conf->anonymous) */
+
+
+  /* If anon access is allowed, return OK */
+
+  /* Now test */
+
+  status = req_check_access(r, conf, &repos_path, &dest_repos_path);
+  if (status == DECLINED)
+    {
+
+      log_access_verdict(APLOG_MARK, r, 0, FALSE, repos_path, dest_repos_path);
+      if (authn_configured && !r->user ) {
+       /* Give a second chance only in the case that authn modules could call us back with an user */
+       return AUTHZ_DENIED_NO_USER;
+      }
+
+      /* in any other case we have failed */
+
+      return AUTHZ_DENIED;
+
+    }
+
+  if (status != OK) {
+    switch (status)
+      {
+      case HTTP_BAD_REQUEST:
+      case HTTP_FORBIDDEN:
+       return AUTHZ_GENERAL_ERROR;
+      default:
+       return AUTHZ_DENIED;
+      }
+  }
+
+  log_access_verdict(APLOG_MARK, r, 1, FALSE, repos_path, dest_repos_path);
+
+  return AUTH_GRANTED;
+}
+
+#else
+
 static int
 access_checker(request_rec *r)
 {
@@ -912,7 +1010,7 @@ access_checker(request_rec *r)
         {
           /* Set the note to force authn regardless of what access_checker_ex
              hook requires */
-          apr_table_setn(r->notes, FORCE_AUTHN_NOTE, (const char*)1);
+          apr_table_setn(r->notes, FORCE_AUTHN_NOTE, "1");

           /* provide the proper return so the access_checker hook doesn't
            * prevent the code from continuing on to the other auth hooks */
@@ -978,7 +1076,7 @@ access_checker(request_rec *r)
            * ap_some_authn_rquired() without triggering an infinite
            * loop since the call will trigger this function to be
            * called again. */
-          apr_table_setn(r->notes, IN_SOME_AUTHN_NOTE, (const char*)1);
+          apr_table_setn(r->notes, IN_SOME_AUTHN_NOTE, "1");
           authn_required = ap_some_authn_required(r);
           apr_table_unset(r->notes, IN_SOME_AUTHN_NOTE);
           if (authn_required)
@@ -1000,6 +1098,10 @@ access_checker(request_rec *r)
   return OK;
 }

+
+
+
+
 static int
 check_user_id(request_rec *r)
 {
@@ -1021,7 +1123,7 @@ check_user_id(request_rec *r)
   status = req_check_access(r, conf, &repos_path, &dest_repos_path);
   if (status == OK)
     {
-      apr_table_setn(r->notes, "authz_svn-anon-ok", (const char*)1);
+      apr_table_setn(r->notes, "authz_svn-anon-ok", "1");
       log_access_verdict(APLOG_MARK, r, 1, FALSE, repos_path, dest_repos_path);
       return OK;
     }
@@ -1077,31 +1179,93 @@ force_authn(request_rec *r)
   return DECLINED;
 }
 #endif
+#endif

 /*
  * Module flesh
  */

+
+
+#if HAVE_AP_24
+
+static const char *svnpathchk_parse_config(cmd_parms *cmd, const char *require_line,
+                                     const void **parsed_require_line)
+{
+    const char *expr_err = NULL;
+    ap_expr_info_t *expr;
+
+    expr = ap_expr_parse_cmd(cmd, require_line, AP_EXPR_FLAG_STRING_RESULT,
+            &expr_err, NULL);
+
+    if (expr_err)
+        return apr_pstrcat(cmd->temp_pool,
+                           "Cannot parse expression in require line: ",
+                           expr_err, NULL);
+
+    *parsed_require_line = expr;
+
+    return NULL;
+}
+
+
+static const authz_provider authz_svnpathchk_provider =
+{
+  &svnpath_check_authorization,
+  &svnpathchk_parse_config,
+};
+
+
+#endif
+
+
 /* Implements the #register_hooks method of Apache's #module vtable. */
 static void
 register_hooks(apr_pool_t *p)
 {
+
+#if HAVE_AP_24
+  /*
+   * Register authz provider
+   * We begin with AP_AUTH_INTERNAL_PER_CONF setting
+   * to avoid breaking too much things, as we don't know if subrequests of aun authorized path
+   * are going to use an unauthorized path
+   *
+   * Otherways we could be using AP_AUTH_INTERNAL_PER_URI
+   */
+  ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "svnpathaccess",
+                              AUTHZ_PROVIDER_VERSION,
+                              &authz_svnpathchk_provider,
+                              AP_AUTH_INTERNAL_PER_CONF);
+
+
+
+#else
+  /*
+   * 2.2 compatible stuff
+   * from <https://httpd.apache.org/docs/2.4/developer/new_api_2_4.html>, it is:
+   ** DEPRECATED direct use of ap_hook_access_checker, access_checker_ex, ap_hook_check_user_id, ap_hook_auth_checker
+   */
   static const char * const mod_ssl[] = { "mod_ssl.c", NULL };

+  #if USE_FORCE_AUTHN
+  ap_hook_force_authn(force_authn, NULL, NULL, APR_HOOK_FIRST);
+  #endif
   ap_hook_access_checker(access_checker, NULL, NULL, APR_HOOK_LAST);
   /* Our check_user_id hook must be before any module which will return
    * HTTP_UNAUTHORIZED (mod_auth_basic, etc.), but after mod_ssl, to
    * give SSLOptions +FakeBasicAuth a chance to work. */
   ap_hook_check_user_id(check_user_id, mod_ssl, NULL, APR_HOOK_FIRST);
   ap_hook_auth_checker(auth_checker, NULL, NULL, APR_HOOK_FIRST);
-#if USE_FORCE_AUTHN
-  ap_hook_force_authn(force_authn, NULL, NULL, APR_HOOK_FIRST);
 #endif
+
   ap_register_provider(p,
                        AUTHZ_SVN__SUBREQ_BYPASS_PROV_GRP,
                        AUTHZ_SVN__SUBREQ_BYPASS_PROV_NAME,
                        AUTHZ_SVN__SUBREQ_BYPASS_PROV_VER,
                        (void*)subreq_bypass);
+
+
 }

 module AP_MODULE_DECLARE_DATA authz_svn_module =