Assertion `svn_uri_is_canonical(child_uri, ((void *)0))' failed.
Hi, I'm trying to get a list of changed files, but get the error mentioned above. Please, help me with this problem. Reproduce: I moved a few files to a new directory using SVN mv and run command: $ svn diff -r2695:HEAD --summarize svn: subversion/libsvn_subr/dirent_uri.c:1519: uri_skip_ancestor: Assertion `svn_uri_is_canonical(child_uri, ((void *)0))' failed. Aborted $
Re: Assertion `svn_uri_is_canonical(child_uri, ((void *)0))' failed.
On Tue, Sep 17, 2013 at 9:14 AM, Карепин Андрей Николаевич akare...@at-consulting.ru wrote: Hi, I'm trying to get a list of changed files, but get the error mentioned above. Please, help me with this problem. Reproduce: I moved a few files to a new directory using SVN mv and run command: $ svn diff -r2695:HEAD --summarize svn: subversion/libsvn_subr/dirent_uri.c:1519: uri_skip_ancestor: Assertion `svn_uri_is_canonical(child_uri, ((void *)0))' failed. Aborted $ Which version of svn client? Can you reproduce with the latest release (1.8.3)? -- Johan
Re: Push ?
On Mon, Sep 16, 2013 at 4:51 PM, Les Mikesell lesmikes...@gmail.com wrote: On Mon, Sep 16, 2013 at 2:53 PM, Dan White d_e_wh...@icloud.com wrote: The described solution is one we already use within our network space, but Security will not allow a connection from DMZ to the internal SVN server. It violates the whole purpose of having a DMZ in the first place. There is always the trick of ssh-ing a command from inside the firewall to the DMZ box that (a) sets up port-forwarding and (b) runs the svn command as though the repo is on localhost. Technically, and from the firewall's point of view, the connection is established outbound. This is also a firing offense in many environments. I once had a chief developer, with various root SSH key access, running just such tunnels to and from his home machine, tunnels that I happened to notice. He was also using non-passphrase protected SSH keys, and had *built* the previous version of Subversion in use at that company. Given the secure data he had access to this way, from offsite, it caused a serous scandal behind closed doors, (And I replaced that Subversion with a source controlled one, owned by root, instead of the one owned by him individually!)
RE: SVN merge attempting to reintegrate on a merge to a branch
-Original Message- From: Stefan Sperling [mailto:s...@elego.de] Sent: Monday, September 16, 2013 5:35 AM To: Andrew Reedick Cc: Goor, Stefan; users@subversion.apache.org Subject: Re: SVN merge attempting to reintegrate on a merge to a branch On Fri, Sep 13, 2013 at 04:16:17PM -0400, Andrew Reedick wrote: -Original Message- From: Goor, Stefan [mailto:sg...@thetasgroup.com] Is this a bug? Is it something we are doing wrong? Is there any information we could send that would help diagnose and prevent the issue? No idea. But I posted about the missing char issue a couple of days ago: http://svn.haxx.se/users/archive-2013-09/0116.shtml It's either a harmless presentation error, or the missing char implies a malformed pathname that is possibly mucking up the merge analysis? Hi Andrew, did you have time to answer Ivan's questions from this post? http://svn.haxx.se/users/archive-2013-09/0142.shtml Knowing where the mergeinfo corruption starts occurring would help us greatly with hunting down the issue. Does the corruption happen also if you use file:// URLs on the server during checkout/merge, instead of http:// ? This reply is a little late (jury duty) but svn:mergeinfo was clean (no truncations) on trunk and trunk/config for ^/..., working path, and directly on the server using file:///. Hopefully, http://svn.apache.org/r1523666 fixes the problem.
Re: Problem committing 1.8 client to 1.8 server
Ah, that makes sense now. Apache is recent(2.2.25), but the server is using cpanel, and the configuration for that looks like it's by default pretty locked down. I'll go update that. Thanks! -Robert Middleton On Mon, Sep 16, 2013 at 10:17 PM, Ben Reser b...@reser.org wrote: On Mon Sep 16 17:37:20 2013, Ben Reser wrote: This looks like your mod_security configuration doesn't know about chunked encoding for requests. 1.8.x now prefers to use chunked encoding in requests. I'm not sure what you need to change to configure mod_security to allow chunked requests but that's what you'll probably want to do. Based on this it looks like you're running an out of date version of mod_security: http://serverfault.com/questions/65733/why-does-modsecurity-require-content-length-in-post-requests
Re: Push ?
On Tue, Sep 17, 2013 at 7:11 AM, Nico Kadel-Garcia nka...@gmail.com wrote: There is always the trick of ssh-ing a command from inside the firewall to the DMZ box that (a) sets up port-forwarding and (b) runs the svn command as though the repo is on localhost. Technically, and from the firewall's point of view, the connection is established outbound. This is also a firing offense in many environments. Yes, I can understand institutions and security policies that blindly outlaw tunnels, but note that in this case it goes the 'right' direction.- that is the control and connection comes from the 'more secure' side and the tunnel is just because the program that needs to run won't make its own connection in the direction you need. I once had a chief developer, with various root SSH key access, running just such tunnels to and from his home machine, tunnels that I happened to notice. He was also using non-passphrase protected SSH keys, and had *built* the previous version of Subversion in use at that company. Given the secure data he had access to this way, from offsite, it caused a serous scandal behind closed doors, (And I replaced that Subversion with a source controlled one, owned by root, instead of the one owned by him individually!) First, it is kind of foolish to assume that anyone with an unrestricted ssh login doesn't have complete access to all the data that account can read (or reach from either side of the connection), but also note that this is the opposite case, where the connection origin and tunnel destination are on the 'less secure' side and the controlling keys are also outside. -- Les Mikesell lesmikes...@gmail.com
Path based authorization using LDAP groups
I'm trying to setup a path based authorization using different LDAP groups. Developers should be able to see all repositories and commit to all repos (the corresponding LDAP group is subversion_developers) Business users should be able to see all repositories but only commit to specific assigned repo (corresponding LDAP group is subversion_bususers) There is another LDAP group which is subversion_readonly which is intended to give read only access to all repos. My httpd.conf looks something like this: RedirectMatch ^(/svn)$ $1/ Location /repos DAV svn SVNParentPath /local/data/svn/svntestrepos SVNReposName CollabNet Subversion Repository BrowserMatch ^SVN/1.[456] denyclient order allow,deny allow from all deny from env=denyclient SVNListParentPath On Allow from all AuthType Basic AuthName CollabNet Subversion Repository AuthBasicProvider ldap AuthLDAPUrl ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*; NONE AuthLDAPBindDN svn_user AuthLDAPBindPassword password LimitExcept OPTIONS GET PROPFIND REPORT require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com /LimitExcept require ldap-group CN= subversion_developers,OU=abc Access Groups,DC=abc,DC=com /Location Location /repos/business DAV svn SVNPath /local/data/svn/svntestrepos/business SVNReposName CollabNet Business users Subversion Repository BrowserMatch ^SVN/1.[456] denyclient order allow,deny allow from all deny from env=denyclient Allow from all AuthType Basic AuthName CollabNet Business Users Subversion Repository AuthBasicProvider ldap AuthLDAPUrl ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*; NONE AuthLDAPBindDN svn_user AuthLDAPBindPassword password LimitExcept OPTIONS GET PROPFIND REPORT require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com /LimitExcept require ldap-group CN= subversion_bususers,OU=abc Access Groups,DC=abc,DC=com /Location I'm able to access all repos except the business repo with this setting and when I try to commit something I get an error saying Redirect cycle detected for URL Does this have something to do with the line RedirectMatch ^(/svn)$ $1/ ? I'm pretty much a novice at apache configuration, so forgive my ignorance. Any help is appreciated, Thank you. Barclaycard www.barclaycardus.com This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on.
Re: Path based authorization using LDAP groups
On 13-09-17 11:26 AM, Tati, Aslesh : Barclaycard US wrote: I’m trying to setup a path based authorization using different LDAP groups. Developers should be able to see all repositories and commit to all repos (the corresponding LDAP group is subversion_developers) Business users should be able to see all repositories but only commit to specific assigned repo (corresponding LDAP group is subversion_bususers) There is another LDAP group which is subversion_readonly which is intended to give read only access to all repos. My httpd.conf looks something like this: RedirectMatch ^(/svn)$ $1/ Location /repos DAV svn SVNParentPath /local/data/svn/svntestrepos SVNReposName CollabNet Subversion Repository BrowserMatch ^SVN/1.[456] denyclient order allow,deny allow from all deny from env=denyclient SVNListParentPath On Allow from all AuthType Basic AuthName CollabNet Subversion Repository AuthBasicProvider ldap AuthLDAPUrl ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*; NONE AuthLDAPBindDN svn_user AuthLDAPBindPassword password LimitExcept OPTIONS GET PROPFIND REPORT require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com /LimitExcept require ldap-group CN= subversion_developers,OU=abc Access Groups,DC=abc,DC=com /Location Location /repos/business DAV svn SVNPath /local/data/svn/svntestrepos/business SVNReposName CollabNet Business users Subversion Repository BrowserMatch ^SVN/1.[456] denyclient order allow,deny allow from all deny from env=denyclient Allow from all AuthType Basic AuthName CollabNet Business Users Subversion Repository AuthBasicProvider ldap AuthLDAPUrl ldap://xyz.com:3268/dc=abc,dc=com?sAMAccountName?sub?objectClass=*; NONE AuthLDAPBindDN svn_user AuthLDAPBindPassword password LimitExcept OPTIONS GET PROPFIND REPORT require ldap-group CN= subversion_readonly,OU=abc Access Groups,DC=abc,DC=com /LimitExcept require ldap-group CN= subversion_bususers,OU=abc Access Groups,DC=abc,DC=com /Location I’m able to access all repos except the business repo with this setting and when I try to commit something I get an error saying “Redirect cycle detected for URL” Does this have something to do with the line RedirectMatch ^(/svn)$ $1/ ? I’m pretty much a novice at apache configuration, so forgive my ignorance. Any help is appreciated, Thank you. Barclaycard www.barclaycardus.com http://www.barclaycardus.com This email and any files transmitted with it may contain confidential and/or proprietary information. It is intended solely for the use of the individual or entity who is the intended recipient. Unauthorized use of this information is prohibited. If you have received this in error, please contact the sender by replying to this message and delete this material from any system it may be on. RedirectMatch tells the requesting tool to try again at the new address, which means it returns a response code and tells the client to try again at the new address. In your case, ^(/svn)$ $1/ says Match ONLY /svn and then Redirect to /svn/, which probably is getting sent back into the RedirectMatch. Http:/httpd.apache.org/docs/2.2/mod_alias.html has the relevant information. If you want to redirect any URLS that look like www.example.com/svn/business to www.example.com/respos/business, you would need something like the following: RedirectMatch ^/svn/(*.) /repos/$1 Is there a reason you are doing URL redirection, though? You can probably just set the Location directives to be /svn and /svn/business directly and not deal with redirects or rewrites at all. If you really are looking at doing URL modifications, you might be better served with mod_rewrite. Robert
Re: Push ?
First, it is kind of foolish to assume that anyone with an unrestricted ssh login doesn't have complete access to all the data that account can read (or reach from either side of the connection), but also note that this is the opposite case, where the connection origin and tunnel destination are on the 'less secure' side and the controlling keys are also outside. Oh, Les, this clown was doing both and all and simply treating security as something that stops me from getting my important work done. It's understandable: blindly applied policies do encourage people to simply work around them, and encourage people to work around them. Blindly applied workarounds are a similar problem. Simply setting up SSH tunnels, without some serious thought about how to keep it off the radar of the script kiddies, or keep it tied to Subversion repository mirroring alone and not abused for other purposes is one that needs serious thought. For example, a quick review of SSH daemon configurations allows one to set up an SSH daemon that is dedicated to Subversion SSH tunnels, with a restricted and forced specific SSH public key matched to the daemon that can only be used by the specific tunnel user, tied to the Subversion server's restricted access. But that takes significant extra work, and root privileges to start if the daemon is going to run on low numbered ports, and even SELinux considerations if that's enabled on either end.