Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
None
Description
Team:
We have a customer using CrowdAuth in Apache for DAV svn with anonymous access on. The svn log is missing the author on delete calls:
**
127.0.0.1 - contegix [24/Jun/2010:19:40:55 -0500] "CHECKOUT /!svn/ver/20885/sandbox HTTP/1.1" 201 324 "-" "SVN/1.6.12 (r955767) neon/0.25.5"
127.0.0.1 - - [24/Jun/2010:19:40:55 -0500] "DELETE /!svn/wrk/XXXXXXXXXXX/sandbox/test HTTP/1.1" 204 - "-" "SVN/1.6.12 (r955767) neon/0.25.5"
127.0.0.1 - contegix [24/Jun/2010:19:40:55 -0500] "MERGE /sandbox HTTP/1.1" 200 672 "-" "SVN/1.6.12 (r955767) neon/0.25.5"
127.0.0.1 - - [24/Jun/2010:19:40:55 -0500] "DELETE /!svn/act/XXXXXXXXXXX HTTP/1.1" 204 - "-" "SVN/1.6.12 (r955767) neon/0.25
**
As the username is not set, svn logs this as no author:
**
r20884 | contegix | 2010-06-24 19:27:21 -0500 (Thu, 24 Jun 2010) | 1 line
testing
------------------------------------------------------------------------
r20883 | (no author) | 2010-06-24 19:23:20 -0500 (Thu, 24 Jun 2010) | 1 line
test config
**
As the above are successful DELETE calls without a user auth, are there any possible security implications?
Best Regards,
—
David Miller
Contegix
Vote for Contegix In Linux Journal 2010 Awards
http://contegix.com/lj2010
Twitter: @contegix | http://twitter.com/contegix
Twitter: @contegixstatus | http://twitter.com/contegixstatus