Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Deny access to .svn folders on Apache

Tags:

svn

apache

deployment

capistrano

We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.

I wanted to know what the best way to do this. A few ideas:

  • Global Apache configuration to deny access
  • Adding .htaccess files in the public folder and all subfolders
  • Cap task that changes the permissions

I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.

like image 790
csexton Avatar asked Dec 29 '08 16:12

csexton

People also ask

How do I restrict access in svn?

As @jpierson already answered, you can use authz files to define No Access, Read Only or Read Write rules on repository paths. Repository path can represent repository root and any path within repository. I.e. you can specify access rules not only subtrees (folders) but files as well.

Can I delete .svn folder?

There is only one . svn folder, located in the base of the working copy. If you are using 1.7, then just deleting the . svn folder and its contents is an easy solution (regardless of using TortoiseSVN or command line tools).

What are .svn folders?

In particular, each directory in your working copy contains a subdirectory named . svn, also known as the working copy's administrative directory. The files in each administrative directory help Subversion recognize which files contain unpublished changes, and which files are out of date with respect to others' work.

How do I view a .svn folder?

- the only . svn folder is in the root folder now, and this contains all of the info for the checkout. You should now be able to simply copy the folder and check it in.

2 Answers

The best option is to use Apache configuration.

Using htaccess or global configuration depends mainly on if you control your server.

If you do, you can use something like

 <DirectoryMatch .*\.svn/.*>     Deny From All </DirectoryMatch>

If you don't, you can do something similar in .htaccess files with FilesMatch

like image 108
Vinko Vrsalovic Avatar answered Oct 07 '22 01:10

Vinko Vrsalovic

One other way to protect the .svn files would be to use a redirect in the Apache config:

RedirectMatch 404 /\\.svn(/|$)

So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.

like image 39
csexton Avatar answered Oct 07 '22 02:10

csexton
Sign in to Comment

Related questions

What does a TortoiseSVN cleanup actually do?
SVN - unable to merge branch back into trunk - numerous tree-conflicts
Subversion: howto find all revisions that are not merged to trunk?
Subversion ignoring "--password" and "--username" options
How change default SVN username and password to commit changes?
Describe the SVN symbols
What ports need to be open for TortoiseSVN to authenticate (clear text) and commit?
svn 1.7.8 database is locked, cannot release
How do you get a list of changes from a Subversion repository by date range?
How does Git solve the merging problem? [closed]
svnsync - couldn't get lock on destination repos
What's the git equivalent of "svn update -r"?
What is the difference between a tag and a branch in SVN?
How can I make Eclipse file search not include svn directories?
Retract accidental checkin
Really, a concrete example that merging in Git is easier than SVN?
How to synchronize two Subversion repositories?
Better Merge Tool for Subversion [closed]
SVN commit error after deleting files locally
Browsing an SVN Repository

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!