You will find there's rails application in subversion that people deploy with Capistrano but have observed that people can access the files in '/.svn', which presents a burglar concern.
I needed to be aware what the easiest method to do that. A couple of ideas:
- Global Apache configuration to deny access
- Adding .htaccess files within the public folder and all sorts of subfolders
- Cap task that changes the permissions
I do not really like the thought of removing the folders or using svn export, since I must keep your 'svn info' around.
Your best option is by using Apache configuration.
Using htaccess or global configuration is dependent mainly on should you take control of your server.
Should you choose, you should use something similar to
<DirectoryMatch .*.svn/.*> Deny All </DirectoryMatch>
If you do not, that you can do such like inshtaccess files with FilesMatch
Yet another way to safeguard the .svn files is always to make use of a redirect within the Apache config:
RedirectMatch 404 /.svn(/$)
So rather than obtaining a 403 forbidden (and supplying clues to could be attackers) you receive a 404, that is what we should would expect when at random typing in pathways.
I don't like the thought of 404ing each file startig wit a us dot. I'd make use of a more selective approach, either using the resumes I am using within the project (svn within the example)
RedirectMatch 404 /.svn(/$)
or perhaps a catch all resumes systems
RedirectMatch 404 /.(svngithgbzrresumes)(/$)
-- outdated answer follows (see comments) --
I cant write comments yet so... The solution of csexton is incorrect, because an user cannot access the .svn folder, but could access any files within it ! e.g. you have access to http://myserver.com/.svn/records
The right rule is
RedirectMatch 404 /.svn(/.*$)
I believe Riccardo Galli first got it right. Even apache already had .svn setup as forbidden for me personally, but .svn/records was certainly available...subjecting my svn server, port number, usernames, etc.
I really figure, why don't you restrict .git like a preventative measure (say you do not use git yet but may at some point after which you won't be considering directory limitations).
After which I figured, why don't you restrict everything that needs to be hidden anyway? Can anybody conceive of an issue with this?
RedirectMatch 404 /..*(/.*$)
I added the '.*' following the initial period - only difference from Riccardo. Appears to 404 .svn, .git, .blah, etc.
A RedirectMatch will respond having a 404, that is great.
However, if "Options +Indexes" is enabled, then customers will still have the ability to begin to see the '.svn' directory in the Parent directory.
Customers will not have the ability to go into the directory-- this is when the '404 Not Found' is available in. However, they'll have the ability to begin to see the directory and supply clues to could be attackers.
I appears in my experience, Apache conf ought to be :
<Directory ~ ".svn"> Order allow,deny Deny all </Directory>
I am not every that keen on RewriteMatch, and so i used a RewriteRule rather:
RewriteRule /..*(/.*$) - [R=404,L]
The hyphen means "avoid any substitution". I additionally couldn't understand why, within the good examples above, the regex had two backslashes:
And So I required one out and delay pills work fine. I can not understand why you would employ two there. Someone choose to enlighten me?
Produce a access privileges file inside your subversion server installation.
e.g should you folder structure is
produce a configuration file and go into the path of this file inside your apache subversion configuration file that you simply would normally find at /etc/httpd/conf.d/subversion.conf
Inside your svnauth.conf file define the privileges as :
access privileges for Foo.com
By doing this you are able to control the access privileges in one single file and also at much granular level.
To learn more peruse with the svn red-colored book.