tags:

views:

202

answers:

3
+3  Q: 

Security: Deny access to .hg/* via mod_rewrite

My website is a mercurial repository with multiple subrepositories. I need to make sure I'm denying access to all files in every .hg directory on the server.

For example, I have http://example.com/.hg/ and http://example.com/subrepo1/.hg/

I've added the following to .htaccess:

<Files ~ "^\.(hg|ht)">
    Order allow,deny
    Deny from all
</Files>

This is a good start, as it denies access to files beginning with .hg and .ht, but it doesn't deny access to the files inside .hg directories, so if someone types, for instance http://example.com/.hg/branch, the branch file will be displayed in their browser.

What do I need to do in order to make sure these files are not displayed to the user? I'd like to send either a 403 or a 404 back to the browser if someone tries to access a file inside any .hg directory on my server.

This question is also relevant for anyone whose website is a subversion / svn repository.

+4  A: 

If you don't have to use mod_rewrite, then you can just do this:

RedirectMatch 404 /\\.hg(/|$)

(Full disclosure: answer adapted for Mercurial from this question about doing the same thing for Subversion).

Dominic Rodger  2010-03-02 08:18:04
I get a 500 error when I try anything with Directory, DirectoryMatch, Location or LocationMatch, so I'm thinking it's not allowed inside .htaccess. The RedirectMatch works like a charm, however. Thanks!
Tex  2010-03-02 08:27:21
@Tex - I'll edit that out - it appears that the OP from the SVN question had trouble getting `DirectoryMatch` to work too.
Dominic Rodger  2010-03-02 08:31:41
My understanding is that `Directory`, `DirectoryMatch`, `Location` and `LocationMatch` are not allowed in .htaccess .
Tex  2010-03-02 08:36:08
@Tex - that looks right to me, based on http://httpd.apache.org/docs/2.0/mod/core.html#directorymatch, which says they're available in server config files (e.g. `httpd.conf`) and in `VirtualHost` containers in server config files, they are not allowed in `.htaccess` files.
Dominic Rodger  2010-03-02 08:40:41
A: 

You always have the possibility to place .htaccess files in these folders and deny all access within the Folder.

I'm assuming you want a solution, where you don't have to put the .htaccess files in every folder and subfolder?

Try the following (assuming you have ssh access to the webserver):

  • Change into the DocumentRoot of your site
  • create a .htaccess file

Content:

Order deny, allow
Deny from all

  • Execute the following command:

    find . -type d -name .hg -exec cp ./.htaccess {} \;

  • Afterwards delete the .htaccess file from your document root again

Aurril  2010-03-02 08:28:35
Hi, I like this solution, as well, but it has one drawback - the files inside the .hg directories are not versioned, and I'm pretty sure they are not included in a new clone of a repository. This means I'd have to perform this step again if I ever start over with a new clone, since the .hg/.htaccess files won't be automatically included in the clone, if I'm not mistaken.
Tex  2010-03-02 08:33:02
Yes I think you are right. On a new clone it wouldn't be included.
Aurril  2010-03-02 08:35:45
A: 

This is much less of a concern if you just keep the repositories outside of your DocumentRoot altogether. You're probably using hgweb or hgwebdir, which don't require the files be inside the DocumentRoot, so don't do it. Put them in /home/hg/repos or something and configure your hgwebdir.conf to look there.

The only reason to have the repos inside the DocumentRoot would be enable the static-http URL form for mercurial, but it's very slow and hgweb is always preferred when it's possible.

Ry4an  2010-03-02 14:58:51

related questions

Is it safe to deny access to .ini file in .htaccess?
.htaccess redirect performance
How can I fix my .htaccess to resolve URLs that don't end in slashes
Find the page that the user intended to see
Configuring wordpress .htaccess to view subfolders
Getting file name of file directed by .htaccess?
Apache htaccess on Win2k is not being processed
How do I stop visitors directly accessing the directories in my website?
What happens first? .htaccess or php code?
Apache/php guru needed! htaccess files, php, includes directories, and windows XAMPP configuration nightmare!
Edit php.ini with .htaccess
Do you have to restart apache to make re-write rules in the .htaccess take effect?
Apache Mod-Rewrite Primers?
Dynamic IP-based blacklisting
.htaccess mod rewrite 301-redirect
How to make a web app appear at the root of the site?
Is it possible to use .htaccess to send six digit number URLs to a script but handle all other invalid URLs as 404s?
How do I use .htaccess to redirect to a URL containing HTTP_HOST?
How to convert Apache .htaccess files into Lighttpd rules?
Wildcard Subdomain Exceptions
Redirecting non-www URL to www
How can I use `scp` to deploy a website's `.htaccess` file?
How do I add a MIME type to .htaccess?
Mod-Rewrite loading files behind the DocumentRoot
.htaccess directives to *not* redirect certain URLs