{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Deceive 欺骗 的问题《Deny access to .svn folders on Apache》','https://www.manongdao.com/q-178860.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.
I wanted to know what the best way to do this. A few ideas:
- Global Apache configuration to deny access
- Adding .htaccess files in the public folder and all subfolders
- Cap task that changes the permissions
I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.
I seems to me, Apache conf should be :
In .htaccess on your server config file.
(1)
And (2)
Place this both method in
.htaccessfile.It hides any file or directory whose name begins with .git Like .git directory or .gitignore file by returning a 404.
Create a access rights file in your subversion server installation.
e.g if you folder structure is
/svn
/svn/rights/svnauth.conf
create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf
In your svnauth.conf file define the rights as :
access rights for Foo.com
[foo.com:/trunk/source]
dev1=rw
dev2=rw .....
This way you can control the access rights from one single file and at much granular level.
For more information peruse through the svn red book.
I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.
Here's the rule to achieve this (until Apache 2.2 included):
(UPDATE) Or you can use the following (which works in Apache 2.2 and 2.4):
I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.
I actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).
And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?
I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.
One other way to protect the .svn files would be to use a redirect in the Apache config:
So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.