Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mod_authz_svn blocks POST if any sub-path is readonly #15

Open
solsson opened this issue Dec 11, 2017 · 6 comments
Open

mod_authz_svn blocks POST if any sub-path is readonly #15

solsson opened this issue Dec 11, 2017 · 6 comments

Comments

@solsson
Copy link
Collaborator

solsson commented Dec 11, 2017

For example with RWEB=fpm we can't use the e.mkdir service on any path that has a read-only descendant. See Reposoft/rweb@7f8a12d

My initial reaction is that this is a bug with mod_authz_svn, as they handle GET but not POST. True, POST may affect a subtree. However it'd have to be converted, server side like rweb does, to a Subversion operation first.

@takesson Do you have ideas? The only thing I can come up with now is to separate external and internal hosts (again) and load the mod_authz_svn module only on the internal host.
@takesson
Copy link

Since POST can affect a subtree and rweb is kind of intruding on the svn URL, I think mod_authz_svn does more or less the right thing.

Alternatives:

  • Have rewrite do (R)edirect instead of (P)roxy. The forms will be on different urls and I presume post to the /repos-web URL.
  • Make the form consistently POST to the /repos-web/... URL regardless of R / P in rewrite.

We might have customers (not many) with integrations that POST towards the /svn/... URL in order to upload files. Not sure how such a client (curl, mostly) would handle a Redirect during POST.

@solsson
Copy link
Collaborator Author

solsson commented Dec 11, 2017

Redirect for POST during file upload is quite bad as you'll send the entire file again. That's why we try to validate write access when displaying the form, due to how BASIC auth works.

Make the form consistently POST to the /repos-web/... URL regardless of R / P in rewrite.

Sounds good. I once thought we'd be phasing out those URLs but it's quite impractical due to static resources there etc.

@takesson
Copy link

takesson commented Dec 11, 2017 via email

@solsson
Copy link
Collaborator Author

solsson commented Dec 11, 2017

Maybe redirect is required due to how BASIC auth works. I've had issues in the past with browsers not sending credentials to a sibling path.

@takesson
Copy link

takesson commented Dec 11, 2017 via email

@takesson
Copy link

takesson commented Apr 5, 2018

Maybe redirect is required due to how BASIC auth works. I've had issues in the past with browsers not sending credentials to a sibling path.

Yes, I am seeing the BASIC auth sibling path issue. Might actually be worse if doing POST to different path.

Perhaps we should require auth on / instead to avoid sibling issue. Now, we are doing redirect on / which happens before authn. Options:

  • Get mod_rewrite to do authn before redirect, some forward-looking subrequest perhaps.
  • Change the redirect to a page, potentially doing the redirect with HTML instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@solsson @takesson