Permission check of Repository Browser does not work
|Reported by:||anonymous||Owned by:||Christian Boos|
AuthzSourcePolicy slightly deviates from mod_authz_svn rules in order to show the parent folders of readable paths, so that one can actually find the latter by browsing.
Permission check of Repository Browser does not work correctly for me, is it a bug(security incident) or according to the specification?
I am using trac0.12.1 and Subversion in my project. I created a tag for my project, and set the access permissions for it. But the folders under the tag can be accessed with repository browser, even if the user doesn't have permission to access it.
And it worked well when I use svn access.
(1)create a tag named as "REL-1.0" svn copy http://host/svn/myproject/trunk/ http://host/svn/myproject/tags/REL-1.0 (2)set permissions for the tag This is part of my svnauth file after I finished setting the permissions: [myproject:/tags/REL-1.0] * = r admin = r [myproject:/tags/REL-1.0/secret] * = admin = r (3) login with a user (not admin) Access the secret folder by repository browser: http://host/trac/myproject/browser/tags/REL-1.0/secret The folders and files under "/tags/REL-1.0/secret" are displayed. I think this is not correct. (4) Verify by svn access (not admin) http://host/svn/myroject/tags/REL-2.0/secret/ The access was refused because there is not enough permission. I think this is correct
P.S. I have debugged the source code of "browser.py" and "perm.py". I found when I accessed "/tags/REL-1.0/secret" folder by repository browser, the permission of "/trunk/secret" was checked by the first line of _render_dir method in "browser.py". (node.resource) I hope the permission of "/tags/REL-1.0/secret" should be checked.
Change History (24)
by , 8 years ago