On 01/16/2013 03:07 PM, Thomas Åkesson wrote:
> I think you have improved this complicated piece.
Good, 'cause that's what I committed. :-)
> Btw, I tried to convey the difficulty of combining Anonymous and
> authenticated access (you wrote about that long ago) in the Note under
> Example 2. Hop
On 16 jan 2013, at 20:44, C. Michael Pilato wrote:
> On 01/16/2013 02:27 PM, Thomas Åkesson wrote:
>>
>> On 16 jan 2013, at 20:15, C. Michael Pilato wrote:
>>
>>> On 01/16/2013 01:54 PM, Thomas Åkesson wrote:
Hi Ivan,
I committed to drafting some change notes for this change qui
On 01/16/2013 02:27 PM, Thomas Åkesson wrote:
>
> On 16 jan 2013, at 20:15, C. Michael Pilato wrote:
>
>> On 01/16/2013 01:54 PM, Thomas Åkesson wrote:
>>> Hi Ivan,
>>>
>>> I committed to drafting some change notes for this change quite some time
>>> ago.
>>>
>>> - Below is a draft of a section t
On 16 jan 2013, at 20:15, C. Michael Pilato wrote:
> On 01/16/2013 01:54 PM, Thomas Åkesson wrote:
>> Hi Ivan,
>>
>> I committed to drafting some change notes for this change quite some time
>> ago.
>>
>> - Below is a draft of a section to include in Release Notes. I suggest
>> just after "In r
On 01/16/2013 01:54 PM, Thomas Åkesson wrote:
> Hi Ivan,
>
> I committed to drafting some change notes for this change quite some time
> ago.
>
> - Below is a draft of a section to include in Release Notes. I suggest
> just after "In repository authz". - Patch contains line for CHANGES -
> Patch
Hi Ivan,
I committed to drafting some change notes for this change quite some time ago.
- Below is a draft of a section to include in Release Notes. I suggest just
after "In repository authz".
- Patch contains line for CHANGES
- Patch contains clarification and new example for mod_authz_svn
On 14 nov 2012, at 11:53, Ivan Zhakov wrote:
>>>
>>> Confirmed as far as my testing goes (did not test short_circuit). I suggest
>>> committing the patch with GET subrequest and potentially change all to
>>> HEAD in a separate commit if there is consensus.
>> Committed in r1408184.
> I doubt abo
On Mon, Nov 12, 2012 at 4:23 PM, Ivan Zhakov wrote:
> On Mon, Nov 12, 2012 at 2:28 AM, Thomas Åkesson
> wrote:
>>
>> On 9 nov 2012, at 18:45, Ivan Zhakov wrote:
>>
>>> On Thu, Nov 8, 2012 at 6:49 PM, Thomas Åkesson
>>> wrote:
Parentpath on /svn/ and Satisfy Any:
- Access with
On Mon, Nov 12, 2012 at 2:28 AM, Thomas Åkesson
wrote:
>
> On 9 nov 2012, at 18:45, Ivan Zhakov wrote:
>
>> On Thu, Nov 8, 2012 at 6:49 PM, Thomas Åkesson
>> wrote:
>>>
>>> Parentpath on /svn/ and Satisfy Any:
>>>
>>> - Access without auth displays repositories with anonymous access, auth is
>>>
On 9 nov 2012, at 18:45, Ivan Zhakov wrote:
> On Thu, Nov 8, 2012 at 6:49 PM, Thomas Åkesson
> wrote:
>>
>> Parentpath on /svn/ and Satisfy Any:
>>
>> - Access without auth displays repositories with anonymous access, auth is
>> not requested.
>> - Access with auth displays filtered list. Wor
On Thu, Nov 8, 2012 at 6:49 PM, Thomas Åkesson
wrote:
> On 5 nov 2012, at 00:21, Thomas Åkesson wrote:
>>
Hi Thomas,
Thank you for comprehensive testing! See my reply inline.
>> I have meant to set up a test server with our reference configuration to
>> validate the patch under realistic circu
Thomas Åkesson wrote on Thu, Nov 08, 2012 at 15:15:03 +0100:
>
> On 5 nov 2012, at 09:11, Branko Čibej wrote:
>
> > On 05.11.2012 00:21, Thomas Åkesson wrote:
> >> I did some tests with curl --head just as a sanity check. It seems to be a
> >> good choice for access control. I primarily wanted t
On 5 nov 2012, at 00:21, Thomas Åkesson wrote:
>
> I have meant to set up a test server with our reference configuration to
> validate the patch under realistic circumstances. Unfortunately, the SLES
> activation servers have been down for several hours (we don't have dev tools
> on our VM Appl
On 5 nov 2012, at 09:11, Branko Čibej wrote:
> On 05.11.2012 00:21, Thomas Åkesson wrote:
>> I did some tests with curl --head just as a sanity check. It seems to be a
>> good choice for access control. I primarily wanted to see that HEAD requests
>> were not allowed in situations where GET is
On Mon, Nov 5, 2012 at 5:06 PM, Lieven Govaerts wrote:
> On Mon, Nov 5, 2012 at 1:15 PM, Ivan Zhakov wrote:
>> On Mon, Nov 5, 2012 at 12:11 PM, Branko Čibej wrote:
>>> On 05.11.2012 00:21, Thomas Åkesson wrote:
I did some tests with curl --head just as a sanity check. It seems to be a
Mark,
On Mon, Nov 5, 2012 at 2:12 PM, Mark Phippard wrote:
> On Mon, Nov 5, 2012 at 8:07 AM, Mark Phippard wrote:
>> On Mon, Nov 5, 2012 at 8:01 AM, Lieven Govaerts wrote:
>>> On Mon, Nov 5, 2012 at 12:02 PM, Mark Phippard wrote:
On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
>
On Mon, Nov 5, 2012 at 8:12 AM, Mark Phippard wrote:
> On Mon, Nov 5, 2012 at 8:07 AM, Mark Phippard wrote:
>> On Mon, Nov 5, 2012 at 8:01 AM, Lieven Govaerts wrote:
>>> On Mon, Nov 5, 2012 at 12:02 PM, Mark Phippard wrote:
On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
> On 05.
On Mon, Nov 5, 2012 at 8:07 AM, Mark Phippard wrote:
> On Mon, Nov 5, 2012 at 8:01 AM, Lieven Govaerts wrote:
>> On Mon, Nov 5, 2012 at 12:02 PM, Mark Phippard wrote:
>>> On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
>>>
On 05.11.2012 00:21, Thomas Åkesson wrote:
> I did some tests w
On Mon, Nov 5, 2012 at 8:01 AM, Lieven Govaerts wrote:
> On Mon, Nov 5, 2012 at 12:02 PM, Mark Phippard wrote:
>> On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
>>
>>> On 05.11.2012 00:21, Thomas Åkesson wrote:
I did some tests with curl --head just as a sanity check. It seems to be a
>>>
On Mon, Nov 5, 2012 at 1:15 PM, Ivan Zhakov wrote:
> On Mon, Nov 5, 2012 at 12:11 PM, Branko Čibej wrote:
>> On 05.11.2012 00:21, Thomas Åkesson wrote:
>>> I did some tests with curl --head just as a sanity check. It seems to be a
>>> good choice for access control. I primarily wanted to see tha
On Mon, Nov 5, 2012 at 12:02 PM, Mark Phippard wrote:
> On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
>
>> On 05.11.2012 00:21, Thomas Åkesson wrote:
>>> I did some tests with curl --head just as a sanity check. It seems to be a
>>> good choice for access control. I primarily wanted to see tha
On Mon, Nov 5, 2012 at 12:11 PM, Branko Čibej wrote:
> On 05.11.2012 00:21, Thomas Åkesson wrote:
>> I did some tests with curl --head just as a sanity check. It seems to be a
>> good choice for access control. I primarily wanted to see that HEAD requests
>> were not allowed in situations where
On 05.11.2012 12:02, Mark Phippard wrote:
> On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
>
>> On 05.11.2012 00:21, Thomas Åkesson wrote:
>>> I did some tests with curl --head just as a sanity check. It seems to be a
>>> good choice for access control. I primarily wanted to see that HEAD
>>> r
On Nov 5, 2012, at 3:11 AM, Branko Čibej wrote:
> On 05.11.2012 00:21, Thomas Åkesson wrote:
>> I did some tests with curl --head just as a sanity check. It seems to be a
>> good choice for access control. I primarily wanted to see that HEAD requests
>> were not allowed in situations where GET
On 05.11.2012 00:21, Thomas Åkesson wrote:
> I did some tests with curl --head just as a sanity check. It seems to be a
> good choice for access control. I primarily wanted to see that HEAD requests
> were not allowed in situations where GET is not (e.g. when user has access in
> directories bel
Thanks Ivan for your work. I have very little experience with the svn codebase
so my review is probably not very valuable. Anyway. looks good to me.
I have meant to set up a test server with our reference configuration to
validate the patch under realistic circumstances. Unfortunately, the SLES
On 02.11.2012 15:25, C. Michael Pilato wrote:
> On 11/02/2012 09:50 AM, Mark Phippard wrote:
>> On Fri, Nov 2, 2012 at 4:13 AM, Ivan Zhakov wrote:
>>> Looking forward for your review. Thanks!
>> + /* Build a Public Resource uri representing repository root. */
>> + uri = svn_urlpath__join(dav_s
On 11/02/2012 09:50 AM, Mark Phippard wrote:
> On Fri, Nov 2, 2012 at 4:13 AM, Ivan Zhakov wrote:
>> Looking forward for your review. Thanks!
>
> + /* Build a Public Resource uri representing repository root. */
> + uri = svn_urlpath__join(dav_svn__get_root_dir(r),
> +
On Fri, Nov 2, 2012 at 10:09 AM, Ivan Zhakov wrote:
>> So on a repository like the ASF or Wordpress where there are
>> a lot of top level folders then the server might have to do a fair
>> amount of work to process the request and return. I assume we do not
>> care about the content of the respons
On Fri, Nov 2, 2012 at 5:50 PM, Mark Phippard wrote:
> On Fri, Nov 2, 2012 at 4:13 AM, Ivan Zhakov wrote:
>> On Tue, Oct 23, 2012 at 4:23 PM, C. Michael Pilato
>> wrote:
>>> On 10/23/2012 07:24 AM, Ivan Zhakov wrote:
I'm working on the patch to list only readable repositories. There is
>>>
On Fri, Nov 2, 2012 at 4:13 AM, Ivan Zhakov wrote:
> On Tue, Oct 23, 2012 at 4:23 PM, C. Michael Pilato
> wrote:
>> On 10/23/2012 07:24 AM, Ivan Zhakov wrote:
>>> I'm working on the patch to list only readable repositories. There is
>>> already TODO comment in the code by cmpilato:
>>> subversio
On Tue, Oct 23, 2012 at 4:23 PM, C. Michael Pilato wrote:
> On 10/23/2012 07:24 AM, Ivan Zhakov wrote:
>> I'm working on the patch to list only readable repositories. There is
>> already TODO comment in the code by cmpilato:
>> subversion\mod_dav_svn\repos.c:3461
>> [[[
>> /* ### TODO: We cou
On 24 okt 2012, at 15:37, Roderich Schupp wrote:
> On Wed, Oct 24, 2012 at 6:09 AM, Daniel Shahaf
> wrote:
>> Daniel Shahaf wrote on Wed, Oct 24, 2012 at 06:07:45 +0200:
>>> I can't reproduce this. 'curl -s https://svn.apache.org/repos/private/'
>> Since I didn't pass -u, in both cases I was b
On Wed, Oct 24, 2012 at 6:09 AM, Daniel Shahaf wrote:
> Daniel Shahaf wrote on Wed, Oct 24, 2012 at 06:07:45 +0200:
>> I can't reproduce this. 'curl -s https://svn.apache.org/repos/private/'
> Since I didn't pass -u, in both cases I was browsing as an anonymous user.
>> That server runs 1.7.0.
S
Daniel Shahaf wrote on Wed, Oct 24, 2012 at 06:07:45 +0200:
> Roderich Schupp wrote on Wed, Oct 24, 2012 at 00:54:07 +0200:
> > On Wed, Oct 24, 2012 at 12:08 AM, Thomas Åkesson wrote:
> > > Are you saying that SVN 1.7 always allows browsing the root but it is
> > > empty
> > > when the user lacks
Roderich Schupp wrote on Wed, Oct 24, 2012 at 00:54:07 +0200:
> On Wed, Oct 24, 2012 at 12:08 AM, Thomas Åkesson wrote:
> > Are you saying that SVN 1.7 always allows browsing the root but it is empty
> > when the user lacks authz?
>
> Yes - for a "standalone" repository (i.e. one specified with S
On Wed, Oct 24, 2012 at 12:08 AM, Thomas Åkesson wrote:
> Are you saying that SVN 1.7 always allows browsing the root but it is empty
> when the user lacks authz?
Yes - for a "standalone" repository (i.e. one specified with SVNPath,
_not_ with SVNParentPath)
Cheers, Roderich
On 23 okt 2012, at 14:22, roderich.sch...@gmail.com wrote:
> I'm working on the patch to list only readable repositories. There is
> already TODO comment in the code by cmpilato:
> subversion\mod_dav_svn\repos.c:3461
>
Thanks Ivan for looking into it. Let's see if it is feasible to address.
On 23.10.2012 13:48, Stefan Sperling wrote:
> On Tue, Oct 23, 2012 at 04:29:51PM +0400, Ivan Zhakov wrote:
I'm working on the patch to list only readable repositories. There is
already TODO comment in the code by cmpilato:
subversion\mod_dav_svn\repos.c:3461
[[[
/* ###
On 10/23/2012 08:48 AM, Stefan Sperling wrote:
> On Tue, Oct 23, 2012 at 04:29:51PM +0400, Ivan Zhakov wrote:
I'm working on the patch to list only readable repositories. There is
already TODO comment in the code by cmpilato:
subversion\mod_dav_svn\repos.c:3461
[[[
/* #
On Tue, Oct 23, 2012 at 04:29:51PM +0400, Ivan Zhakov wrote:
> >> I'm working on the patch to list only readable repositories. There is
> >> already TODO comment in the code by cmpilato:
> >> subversion\mod_dav_svn\repos.c:3461
> >> [[[
> >> /* ### TODO: We could test for readability of the ro
On Tue, Oct 23, 2012 at 4:23 PM, C. Michael Pilato wrote:
> On 10/23/2012 07:24 AM, Ivan Zhakov wrote:
>> I'm working on the patch to list only readable repositories. There is
>> already TODO comment in the code by cmpilato:
>> subversion\mod_dav_svn\repos.c:3461
>> [[[
>> /* ### TODO: We cou
On 10/23/2012 07:24 AM, Ivan Zhakov wrote:
> I'm working on the patch to list only readable repositories. There is
> already TODO comment in the code by cmpilato:
> subversion\mod_dav_svn\repos.c:3461
> [[[
> /* ### TODO: We could test for readability of the root
> directory of eac
>
> I'm working on the patch to list only readable repositories. There is
>
already TODO comment in the code by cmpilato:
> subversion\mod_dav_svn\repos.c:3461
>
Please keep in mind that the problem is not restricted to parent-path
collections
of repositories: Since SVN 1.7 any user can "list
On Thu, Oct 18, 2012 at 2:06 PM, Thomas Åkesson wrote:
> There was a discussion in April 2010 regarding the "fix" for issue 2753.
> http://svn.haxx.se/dev/archive-2010-04/0277.shtml
>
[...]
>
> During the 2010 discussion Mike suggested something that we (Simonsoft)
> would be very happy to see im
Thomas Åkesson wrote on Mon, Oct 22, 2012 at 17:20:44 +0200:
> On 19 okt 2012, at 02:07, Daniel Shahaf wrote:
> > This is complicated by:
> >
> > - THe DAV protocol does not prompt for authentication for resources
> > readable by anonymous (for this, see cmpilato's old "foo-no-anon"
> > blog pos
To clarify what this issue is about:
Subversion 1.7 leaks repository names when configured with SVNListParentPath
and AuthzSVNAccessFile. It might have been unintentional, but with Subversion
1.6 (and earlier) it was possible to control access to the repository list
(Collection of Repositories)
d to
display the repositories where the user has access.
Status in Subversion 1.7
- The fix for issue 2753 presumably enables SVNListParentPath to work with
authz on server root. By completely removing authz on Collection of
Repositories (?).
- It is no longer possible to protect "Collecti
48 matches
Mail list logo
