[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Forbidding directory listing

From: Ryan Schmidt <subversion-2008c_at_ryandesign.com>
Date: Mon, 7 Jul 2008 15:26:22 -0500

On Jul 7, 2008, at 15:05, Patrick Krekelberg wrote:

> I have a Windows server which is running Apache 2 with a number of
> repositories. I have one Location on the "insecure" HTTP domain
> which is being accessed in httpd.conf like this:
>
> <Location />
> DAV svn
> SVNListParentPath Off
> SVNParentPath //myServer/SVN/public
> </Location>
>
> This is allowing an "insecure" unauthenticated connection to a
> specific directory where I have a number of repositories intended
> for business units to release code. I have a "secure" method for
> accessing this same directory in my ssl.conf file:
>
> <Location /pub>
> DAV svn
> SVNListParentPath On
> SVNParentPath //myServer/SVN/public
>
> SSLRequireSSL
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain myActiveDirectoryServer
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth Off
> SSPIOfferBasic On
> AuthName "my Public Repository"
> Require valid-user
> </Location>
>
> The idea is that developers could create folders and post releases
> to the public repository using the secure, authenticated view, but
> clients could access the same files using the insecure link.
>
> So, I can go to http://svn.mydomain.com/ or https://
> svn.mydomain.com/pub/ to get to the same place. The problem is, if
> I go to http://svn.mydomain.com/aRepositoryName I get a directory
> listing of the folders in the repository!! I want to be able to
> send a client a URL like http://svn.mydomain.com/aRepositoryName/
> ClientName/ProjectName/myfile.zip while knowing they cannot go down
> a few folders and look at other client releases.
>
> I have tried adding Options -Indexes to the Location tag in the
> httpd.conf file but this does nothing. What am I missing? If I
> could make it impossible to list any folders using the http://
> version of the access that would be perfect. That way clients could
> download files, but also view completed web applications in the
> http:// domain but wouldn't be able to list anything.

Trying to solve this problem with Apache directives won't work
because a user could still use the svn command line client to list
the directory contents.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-07 22:27:01 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.