If mod_authz_svn has granted write access to somebody, and that same person is
not allowed to read some specific sub-tree, then the read-control can be
circumvented by simplying doing an 'svn copy URL1 URL2'. (URL1 is a readable
parent of the unreadable sub-tree, and URL2 is a writable destination.)
This is a hole in mod_authz_svn. The fix is to make the module more diligent
when dealing with an HTTP COPY request: it needs to scan the entire source
tree and make sure the reader has 100% read-access to every part of it.
Bug
Critical