Subversion’s mod_dav_svn server allows setting arbitrary svn:author property values when committing new revisions. This can be accomplished using a specially crafted sequence of requests. An evil-doer can fake svn:author values on his commits. However, as authorization rules are applied to the evil-doer’s true username, forged svn:author values can only happen on commits that touch the paths the evil-doer has write access to.