We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.
I wanted to know what the best way to do this. A few ideas:
I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.
As @jpierson already answered, you can use authz files to define No Access, Read Only or Read Write rules on repository paths. Repository path can represent repository root and any path within repository. I.e. you can specify access rules not only subtrees (folders) but files as well.
There is only one . svn folder, located in the base of the working copy. If you are using 1.7, then just deleting the . svn folder and its contents is an easy solution (regardless of using TortoiseSVN or command line tools).
In particular, each directory in your working copy contains a subdirectory named . svn, also known as the working copy's administrative directory. The files in each administrative directory help Subversion recognize which files contain unpublished changes, and which files are out of date with respect to others' work.
- the only . svn folder is in the root folder now, and this contains all of the info for the checkout. You should now be able to simply copy the folder and check it in.
The best option is to use Apache configuration.
Using htaccess or global configuration depends mainly on if you control your server.
If you do, you can use something like
<DirectoryMatch .*\.svn/.*> Deny From All </DirectoryMatch>
If you don't, you can do something similar in .htaccess files with FilesMatch
One other way to protect the .svn files would be to use a redirect in the Apache config:
RedirectMatch 404 /\\.svn(/|$)
So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With