mod_authz_svn fails to protect metadata Summary: ======= mod_authz_svn, the Apache httpd module which does path-based authorization on Subversion repositories, is not correctly protecting all metadata on unreadable paths. This metadata leakage affects the mod_authz_svn module in all released versions of Subversion (through 1.0.7), as well as the 1.1-rc1, -rc2 and -rc3 release candidates. The leakage is fixed in the 1.0.8 and 1.1-rc4 release, as well as the upcoming 1.1 final release. Details: ======= If a Subversion commit affects paths that an administrator has marked "unreadable" using mod_authz_svn, then - "svn log -v" will list the existence of the unreadable paths; - "svn log -v" will show the commit's log message, which might be considered sensitive metadata in some situations; - "svn propget" is also able to fetch the log message of any commit; - "svn blame" and other commands that follow renames are able to acknowledge the existence of earlier versions of files that exist at unreadable locations. Severity: ======== Mild-to-medium severity, depending on your situation. This security issue is not about revealing the contents of protected files: it only reveals metadata about protected areas such as paths and log messages. This may or may not be important to your organization, depending on how you're using path-based authorization, and the sensitivity of the metadata. (Exception: in the case of "svn blame", and only in svn 1.1-rc2 and -rc3, it's possible that older unreadable versions of a file are being transported from server to client; the contents aren't displayed, but the data is still traveling over the network.) These issues only affects users of mod_authz_svn, not people using native httpd.conf directives (such as or ) directives to limit general readability on whole repositories. Workarounds: =========== * Use mod_authz_svn to restrict writes only, not reads. * Break unreadable areas into separate repositories, and use native apache httpd.conf directives to make them unreadable. References: ========== CAN-2004-0749: mod_authz_svn fails to protect metadata Recommendation: ============== We recommend an upgrade to 1.0.8 or 1.1.0-rc4.