tags:

views:

3034

answers:

5
+11  Q: 

Deny access to .svn folders on Apache

We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.

I wanted to know what the best way to do this. A few ideas:

  • Global Apache configuration to deny access
  • Adding .htaccess files in the public folder and all subfolders
  • Cap task that changes the permissions

I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.

+14  A: 

The best option is to use Apache configuration.

Using htaccess or global configuration depends mainly on if you control your server.

If you do, you can use something like

<DirectoryMatch .*\.svn/.*>
    Deny From All
</DirectoryMatch>

If you don't, you can do something similar in .htaccess files with FilesMatch

Vinko Vrsalovic  2008-12-29 16:36:08
I could not get this to work with .htaccess and FilesMatch.I could get it to block a request to http://site.com/.svn, but I could still access files if I directly requested them.For now I am using the RedirectMatch as suggested below. The other option is a RewriteRule.
Tao Zhyn  2009-02-12 23:09:29
A: 

Create a access rights file in your subversion server installation.

e.g if you folder structure is

/svn

/svn/rights/svnauth.conf

create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf

In your svnauth.conf file define the rights as :

access rights for Foo.com

[foo.com:/trunk/source]

dev1=rw

dev2=rw .....

This way you can control the access rights from one single file and at much granular level.

For more information peruse through the svn red book.

 2008-12-29 17:07:44
You have misunderstood the question. He is talking about the .svn directory that gets created on checkout, not about developers permissions on the repository
Vinko Vrsalovic  2008-12-29 18:00:05
+13  A: 

One other way to protect the .svn files would be to use a redirect in the Apache config:

RedirectMatch 404 /\\.svn(/|$)

So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.

csexton  2008-12-29 18:14:50
Yes, this is non HTTP-compliant though :)
Vinko Vrsalovic  2008-12-29 18:17:05
+1  A: 

A RedirectMatch will respond with a 404, which is great.

However, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.

Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.

Stefan Lasiewski  2010-02-23 01:21:25
+3  A: 

I cant write comments yet so... The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it ! e.g. you can access http://myserver.com/.svn/entries

The correct rule is

RedirectMatch 404 /\\.svn(/.*|$)
Riccardo Galli  2010-07-14 23:48:12

related questions

Best strategy to write hooks for subversion in Windows
Database Version Control
Version control PHP Web Project
Experience with SVN vs. Team Foundation Server?
Best SVN Client Ignore Pattern for VB.NET Solutions?
SVN merge merged extra stuff
What is your favorite web app deployment workflow with SVN?
Integrating Fogbugz with TortoiseSVN with no URL/Subversion backend
Version Control. Getting started...
ASP.NET Display SVN Revision Number
How do I create a branch in SVN?
What do the result codes in svn mean?
Could you recommend a good free project hosting website?
Federated (Synced) Subversion servers?
Mechanisms for tracking DB schema changes
What are the advantages of using SVN over CVS?
Use SVN Revision to label build in CCNET
Best subversion client for Mac OS
Why is Git better than Subversion?
ASP.NET, Visual Studio and Subversion - how to integrate?
Best Practice: Collaborative Environment, Bin Directory, SVN
How do I sync the SVN revision number with my ASP.NET web site?
Best Subversion clients for Windows Vista (64bit)
Good branch/merge tutorials for Tortoise SVN?
How can you get Subclipse in Aptana to work with the newest release of Subversion?