tags:

views:

44

answers:

2
+2  Q: 

Can I disable Mercurial cloning/pulling over HTTP?

We're using Mercurial on our production servers for some smaller web projects to easily deploy applications by pushing changes to the server over SSH. The repositories reside in the public_html folders of their respective accounts.

Now if I do a

hg clone http://www.domain.com

I get

real URL is http://www.domain.com/
requesting all changes
adding changesets
adding manifests
transaction abort!
rollback completed
abort: empty or missing revlog for .htaccess

Fortunately, cloning doesn't seem to be possible without authentication, but I'd rather not let anyone know there is an hg repository available in the first place.

Does anybody know a way to completely hide a Mercurial repository from the public, even though it is in a public place like public_html/htdocs on webserver? I couldn't find any information on how to achieve that.

ETA: Apparently, I do not yet have enough reputation to vote any answers up. But thanks a lot to the both of you for your helpful answers. :)

+1  A: 

You can

  • make the .hg directory inaccessible to your web server
  • make .hg invisible by .htacces magic (assuming you use an apache httpd)
  • place the repositories outside of public_html and populate public_html with hg archive
Rudi  2010-10-19 11:26:35
Sounds good. The .hg directory belongs to the account user which is the same user as the web server (shared hosting environment), so I don't know if I can make it inaccessible to the web server, but I'll definitely look into the second and third options. Thanks a lot!
Jürg Gutknecht  2010-10-19 14:05:11
+2  A: 

In the repo's .hg/hgrc add this:

[web]
allowpull = false

That will error them out much earlier in the process, before they get any data (currently they're getting a lot of data if they want it before rollback). Note that allowpull has no underscore, unlike most other multi-word mercurial settings.

That's completely prevents them from getting the contents via mercurial, but they could still use wget, curl or a webbrowser to pick through http://www.domain.com/.hg/ manually.

To avoid that you can block any URL containing /.hg/ at the web server level. In Apache that would look like:

<Directory "/your/doc/root/.hg">
  Order deny,allow
  deny from all
</Directory>
Ry4an  2010-10-19 13:54:57
This worked like a charm, thanks a lot! It was a matter of copying and pasting your instructions into the respective files.
Jürg Gutknecht  2010-10-19 15:17:09

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security