Authz - paths with trailing slash isn't supported - right?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Authz - paths with trailing slash isn't supported - right?

Paul Hammant-3
In authz files, [/] is often mentioned as a cross-cutting repo root that has permissions for users and groups.

There's no other references to a path in square brackets with a trailing slash. At least, not 

That was context, and here's the question or perhaps bug report...

So, administrators of Svn installs should not create paths in authz files with trailing slashes - like [/foo/] - right?  I say that because my attempts to do so yields plenty of unexplainable 403 responses in ordinary clients like web browsers. Making me think it's a bug.

Or there could be a dev-team view that this is a documentation improvement issue at this point. Specifically some advice  like "Paths that are directories don't have trailing slashes in square brackets other than [/] for the root" added to the above page.

One more thing - Mike Pilato's http://blogs.collab.net/subversion/authz_and_anon_ article on CollabNet's blog ... would be great if it were slurped into the SvnBook somehow. Anyone from Collabnet care to weigh in?

- Paul

Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Branko Čibej
On 09.12.2017 22:22, Paul Hammant wrote:
> Or there could be a dev-team view that this is a documentation
> improvement issue at this point. Specifically some advice  like "Paths
> that are directories don't have trailing slashes in square brackets
> other than [/] for the root" added to the above page.

The / on the root is not a trailing slash; it's a leading slash. Paths
in the authz file must /start/ with a slash.

> One more thing - Mike Pilato's
> http://blogs.collab.net/subversion/authz_and_anon_ article on
> CollabNet's blog ... would be great if it were slurped into the
> SvnBook somehow. Anyone from Collabnet care to weigh in?

You'd best ask the Mike Pilato who's the co-author of The Book about that.

-- Brane

Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Daniel Shahaf-2
In reply to this post by Paul Hammant-3
Paul Hammant wrote on Sat, 09 Dec 2017 16:22 -0500:
> So, administrators of Svn installs should *not* create paths in authz files
> with *trailing slashes* - like [/foo/] - right?  I say that because my
> attempts to do so yields plenty of unexplainable 403 responses in ordinary
> clients like web browsers. Making me think it's a bug.

No, it's intentional:

https://subversion.apache.org/docs/release-notes/1.8.html#authz-fspath-syntax

The cause of the 403 should be logged on the server side.

> Or there could be a dev-team view that this is a documentation improvement
> issue at this point. Specifically some advice  like "Paths that are
> directories don't have trailing slashes in square brackets other than [/]
> for the root" added to the above page.
>
> One more thing - Mike Pilato's
> http://blogs.collab.net/subversion/authz_and_anon_ article on CollabNet's
> blog ... would be great if it were slurped into the SvnBook somehow. Anyone
> from Collabnet care to weigh in?

Bug reports against the book should go to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Mark Phippard-3
In reply to this post by Paul Hammant-3

On Dec 9, 2017, at 4:22 PM, Paul Hammant <[hidden email]> wrote:

One more thing - Mike Pilato's http://blogs.collab.net/subversion/authz_and_anon_ article on CollabNet's blog ... would be great if it were slurped into the SvnBook somehow. Anyone from Collabnet care to weigh in?

I thought Mike already did? http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html#svn.serverconfig.pathbasedauthz.gotchas

Mark
Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Paul Hammant-3
In reply to this post by Branko Čibej

The / on the root is not a trailing slash; it's a leading slash. Paths
in the authz file must /start/ with a slash.

Obvious really, I guess.
 

Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Paul Hammant-3
In reply to this post by Daniel Shahaf-2

No, it's intentional:

https://subversion.apache.org/docs/release-notes/1.8.html#authz-fspath-syntax

The cause of the 403 should be logged on the server side.

It was:

[Sat Dec 09 22:24:47.803767 2017] [authz_svn:error] [pid 13] [client 172.17.0.1:35066] Failed to load the mod_authz_svn config: Section name '/foo/a/' contains non-canonical fspath '/foo/a/'
[Sat Dec 09 22:24:47.803817 2017] [authz_svn:error] [pid 13] [client 172.17.0.1:35066] Access denied: 'harry' GET foo:/a 



>.. would be great if it were slurped into the SvnBook somehow. Anyone
> from Collabnet care to weigh in?

Bug reports against the book should go to [hidden email]

Wil do.

Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Paul Hammant-3
The cause of the 403 should be logged on the server side.

It was:

[Sat Dec 09 22:24:47.803767 2017] [authz_svn:error] [pid 13] [client 172.17.0.1:35066] Failed to load the mod_authz_svn config: Section name '/foo/a/' contains non-canonical fspath '/foo/a/'
[Sat Dec 09 22:24:47.803817 2017] [authz_svn:error] [pid 13] [client 172.17.0.1:35066] Access denied: 'harry' GET foo:/a 


Should an unparsable authz file be communicated in a clearer way than some URLs working and some 403ing?  Should I raise this in https://issues.apache.org/jira/browse/SVN or not ?

- Paul
Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Daniel Shahaf-2
Paul Hammant wrote on Sat, 09 Dec 2017 21:54 -0500:

> >
> > The cause of the 403 should be logged on the server side.
> >>
> >
> > It was:
> >
> > [Sat Dec 09 22:24:47.803767 2017] [authz_svn:error] [pid 13] [client
> > 172.17.0.1:35066] Failed to load the mod_authz_svn config: Section name
> > '/foo/a/' contains non-canonical fspath '/foo/a/'
> > [Sat Dec 09 22:24:47.803817 2017] [authz_svn:error] [pid 13] [client
> > 172.17.0.1:35066] Access denied: 'harry' GET foo:/a
> >
>
> Should an unparsable authz file be communicated in a clearer way than some
> URLs working and some 403ing?

Last I checked, that's not the failure mode.  When the authz file fails
to parse, *all* accesses to the repository result in 403.  That's true
even if the file parses correctly insofar as the .ini ConfigParser
format is concerned, but isn't a valid authz file for other reasons
(e.g., non- canonical paths in section headers).

> Should I raise this in https://issues.apache.org/jira/browse/SVN
> or not ?

We could clarify the error message by having it refer the admin to the
server log.  We might also have the error message state "The authz file
failed to parse" (without details; we'd consider the authz file's path
and section names to be confidential).

Is that what you had in mind?  Or are you thinking of a larger change,
e.g., detecting the invalid authz file even before a request is made to
a repository that uses it (= the invalid authz file)?

Cheers,

Daniel
Reply | Threaded
Open this post in threaded view
|

Re: Authz - paths with trailing slash isn't supported - right?

Paul Hammant-3

> Should I raise this in https://issues.apache.org/jira/browse/SVN
> or not ?

We could clarify the error message by having it refer the admin to the
server log.  We might also have the error message state "The authz file
failed to parse" (without details; we'd consider the authz file's path
and section names to be confidential).

Is that what you had in mind?  Or are you thinking of a larger change,
e.g., detecting the invalid authz file even before a request is made to
a repository that uses it (= the invalid authz file)?

No, a small informational change, IMO.

Eight years ago in the Selenium team we sprinkled helpful URLs the in exception messages. Selenium was Java+Python+C#+Ruby+JavaScript back then and a hard tech to get going with in the view of many. It uses many more languages since V2. We had and still have lots of noobs wanting to get running with it, and driving them to a help page if they could see it in exception messages and logs was a way of reducing questions on mail-lists.

- Paul