tags:

views:

3293

answers:

11

One of my co-workers checked in a some files in SVN and one of the files has a password in it. The password has been removed from the file and a new version checked in but the password is obviously still in the repository if we look at the revision history and go to that revision. (We're using TortoiseSVN as the client.)

So how do I securely delete that single file from the repository in SVN?

A: 

I'm not sure. You could always create a new file and copy the latest revision into that, wiping out prior revision history.

Bernard
+2  A: 

Maybe you should change your production password to avoid the svn problem altogether.

Mike Thompson
+8  A: 

link to subversion FAQ entry on this

Jason Baker
+5  A: 

it isn't pretty : How do I completely remove a file from the repository's history?

Adam
A: 

@Jason, Adam:
O_o;;

I think I prefer my stupid-brute force solution. Wow.

Bernard
A: 

@Bernard - How would you do that? If I deleted the file from SVN and then loaded a new file in there would the revision history be removed? That would work at this stage if that's the case.

Guy
A: 

That seemed to work. So what I did was:

  1. Copy the file to another folder.
  2. Do a TortoiseSVN delete from the current folder followed by a commit.
  3. Copy the file back in to the folder.
  4. Add the file using TortoiseSVN and commit again.

I can't seem to find any revision history now - however, it could just be that I'm not looking in the right place.

So a modified question would now be, how can I find the revision history of the file that was deleted and then resubmitted to SVN?

(BTW I apologize for not asking the question more accurately earlier as I never mentioned that one of the options was to obliterate all revision history as it hadn't occurred to me.)

Guy
The procedure you have outlines will break the links so that viewing the current HEAD file and it;s history won't easily show you the original checking. However if you set the revision back to the version before you did the delete you will be able to see it again.
Greg Domjan
+3  A: 

I can't seem to find any revision history now - however, it could just be that I'm not looking in the right place.

You can see it by looking at the folder history, which will give you the revision where the file was still there, and thus you'll be able to recover the confidential file. So it's a bad solution.

Damien B
A: 

@Damien:
You are correct. I hadn't thought of that.

Bernard
+2  A: 

If it's the last revision (HEAD) you can (BACKING UP your repo beforehand) delete that revision's files in db\revs and db\revprops and then run the following python script to fix what revision you repo thinks HEAD is.

e.g. if head is 522 and the password was commited in 520, you'd have to delete revisions 520,521 and 522.

(This script shouldn't be necessary once SVN obliterate is implemented)

(I didn't write this script, I got it from here)

#!/usr/bin/python

def dec_to_36(dec):
  key = '0123456789abcdefghijklmnopqrstuvwxyz'
  result = ''
  while 1:
    div = dec / 36
    mod = dec % 36
    dec = div
    result = key[mod] + result
    if dec == 0:
      break
  return result


import os, re, sys

repo_path = sys.argv[1]
rev_path = os.path.join(repo_path, 'db', 'revs')
current_path = os.path.join(repo_path, 'db', 'current')

id_re = re.compile(r'^id:\ ([a-z0-9]+)\.([a-z0-9]+)\.r([0-9]+).*')

max_node_id = 0
max_copy_id = 0
max_rev_id = 0

for rev in os.listdir(rev_path):
  f = open(os.path.join(rev_path, rev), 'r')

  for line in f:
    m = id_re.match(line)
    if m:
      node_id = int(m.group(1), 36)
      copy_id = int(m.group(2), 36)
      rev_id = int(m.group(3), 10)

      if copy_id > max_copy_id:
        max_copy_id = copy_id

      if node_id > max_node_id:
        max_node_id = node_id

      if rev_id > max_rev_id:
        max_rev_id = rev_id

f = open(current_path, 'w+b')
f.write("%d %s %s\n" % (max_rev_id, dec_to_36(max_node_id+1),
                        dec_to_36(max_copy_id+1)))
f.close()
Sam Hasler
script seems to work, takes a long time to run over every revision when you get into 10's of thousands of revisions. I wonder how safe it would be to shortcut and use just the last 20 revisions say.
Greg Domjan
+1  A: 

your password is still there (svn cat file@2342 where 2342 is a revision the file was still there).

you can ''svnadmin dump'' you repos to a file, search and replace you password with "ultrasecret', ''svnadmin create'' a new repos and ''svnadmin load'' the modified dump into that new repos. be aware of binary data in your dump, so use a proper editor/sed.