Deny access to .svn folders on Apache

2019-01-21 00:09发布

站内问答 / 前端开发
1297 12 5

We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.

I wanted to know what the best way to do this. A few ideas:

  • Global Apache configuration to deny access
  • Adding .htaccess files in the public folder and all subfolders
  • Cap task that changes the permissions

I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.

12条回答
疯言疯语
2楼-- · 2019-01-21 00:40

This:

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

can also be used if you don't want to send an error back to the user.

It's only redirecting back to the site rootpage. Also, this is a permanent redirect, so the robots won't try to reindex this URL.

查看更多
0人赞 添加讨论(0) 举报
放荡不羁爱自由
3楼-- · 2019-01-21 00:40

I'm not all that fond of RedirectMatch, so I used a RewriteRule instead:

RewriteRule /\..*(/.*|$) - [R=404,L]

The hyphen means "don't do any substitution". I also could not figure out why, in the examples above, the regex had two backslashes:

/\\..*(/.*|$)

So I took one out and it works fine. I can't figure out why you would use two there. Someone care to enlighten me?

查看更多
0人赞 添加讨论(0) 举报
成全新的幸福
4楼-- · 2019-01-21 00:41

A RedirectMatch will respond with a 404, which is great.

However, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.

Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.

查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
5楼-- · 2019-01-21 00:41

Apache Subversion FAQ is sugesting this solution:

# Disallow browsing of Subversion working copy administrative dirs.
<DirectoryMatch "^/.*/\.svn/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

source: https://subversion.apache.org/faq.html#website-auto-update

查看更多
0人赞 添加讨论(0) 举报
Emotional °昔
6楼-- · 2019-01-21 00:43

The best option is to use Apache configuration.

Using htaccess or global configuration depends mainly on if you control your server.

If you do, you can use something like

<DirectoryMatch .*\.svn/.*>
    Deny From All
</DirectoryMatch>

If you don't, you can do something similar in .htaccess files with FilesMatch

查看更多
0人赞 添加讨论(0) 举报
手持菜刀,她持情操
7楼-- · 2019-01-21 00:44

I do not like the idea of 404ing each file startig wit a dot. I'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)

RedirectMatch 404 /\\.svn(/|$)

or a catch all cvs systems

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

-- outdated answer follows (see comments) --

I cant write comments yet so... The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it ! e.g. you can access http://myserver.com/.svn/entries

The correct rule is

RedirectMatch 404 /\\.svn(/.*|$)
查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)