Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1954

Using CrowdAuth in Apache for DAV svn with anonymous access

    XMLWordPrintable

Details

    Description

      Team:

      We have a customer using CrowdAuth in Apache for DAV svn with anonymous access on. The svn log is missing the author on delete calls:
      **
      127.0.0.1 - contegix [24/Jun/2010:19:40:55 -0500] "CHECKOUT /!svn/ver/20885/sandbox HTTP/1.1" 201 324 "-" "SVN/1.6.12 (r955767) neon/0.25.5"
      127.0.0.1 - - [24/Jun/2010:19:40:55 -0500] "DELETE /!svn/wrk/XXXXXXXXXXX/sandbox/test HTTP/1.1" 204 - "-" "SVN/1.6.12 (r955767) neon/0.25.5"
      127.0.0.1 - contegix [24/Jun/2010:19:40:55 -0500] "MERGE /sandbox HTTP/1.1" 200 672 "-" "SVN/1.6.12 (r955767) neon/0.25.5"
      127.0.0.1 - - [24/Jun/2010:19:40:55 -0500] "DELETE /!svn/act/XXXXXXXXXXX HTTP/1.1" 204 - "-" "SVN/1.6.12 (r955767) neon/0.25
      **

      As the username is not set, svn logs this as no author:
      **
      r20884 | contegix | 2010-06-24 19:27:21 -0500 (Thu, 24 Jun 2010) | 1 line

      testing
      ------------------------------------------------------------------------
      r20883 | (no author) | 2010-06-24 19:23:20 -0500 (Thu, 24 Jun 2010) | 1 line

      test config
      **

      As the above are successful DELETE calls without a user auth, are there any possible security implications?

      Best Regards,


      David Miller
      Contegix
      Vote for Contegix In Linux Journal 2010 Awards
      http://contegix.com/lj2010

      Twitter: @contegix | http://twitter.com/contegix
      Twitter: @contegixstatus | http://twitter.com/contegixstatus

      Attachments

        Activity

          People

            rbattaglin Renan Battaglin
            57bb6774bab8 Contegix Support
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: