[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Forbidding directory listing

From: Patrick Krekelberg <patrick_at_bellapk.com>
Date: Mon, 7 Jul 2008 17:12:52 -0500

On Jul 7, 2008, at 3:26 PM, Ryan Schmidt wrote:

>
> On Jul 7, 2008, at 15:05, Patrick Krekelberg wrote:
>
>> I have a Windows server which is running Apache 2 with a number of
>> repositories. I have one Location on the "insecure" HTTP domain
>> which is being accessed in httpd.conf like this:
>>
>> <Location />
>> DAV svn
>> SVNListParentPath Off
>> SVNParentPath //myServer/SVN/public
>> </Location>
>>
>> This is allowing an "insecure" unauthenticated connection to a
>> specific directory where I have a number of repositories intended
>> for business units to release code. I have a "secure" method for
>> accessing this same directory in my ssl.conf file:
>>
>> <Location /pub>
>> DAV svn
>> SVNListParentPath On
>> SVNParentPath //myServer/SVN/public
>>
>> SSLRequireSSL
>> AuthType SSPI
>> SSPIAuth On
>> SSPIAuthoritative On
>> SSPIDomain myActiveDirectoryServer
>> SSPIOmitDomain on
>> SSPIUsernameCase lower
>> SSPIPerRequestAuth Off
>> SSPIOfferBasic On
>> AuthName "my Public Repository"
>> Require valid-user
>> </Location>
>>
>> The idea is that developers could create folders and post releases
>> to the public repository using the secure, authenticated view, but
>> clients could access the same files using the insecure link.
>>
>> So, I can go to http://svn.mydomain.com/ or https://svn.mydomain.com/pub/
>> to get to the same place. The problem is, if I go to http://svn.mydomain.com/aRepositoryName
>> I get a directory listing of the folders in the repository!! I
>> want to be able to send a client a URL like http://svn.mydomain.com/aRepositoryName/ClientName/ProjectName/myfile.zip
>> while knowing they cannot go down a few folders and look at other
>> client releases.
>>
>> I have tried adding Options -Indexes to the Location tag in the
>> httpd.conf file but this does nothing. What am I missing? If I
>> could make it impossible to list any folders using the http://
>> version of the access that would be perfect. That way clients could
>> download files, but also view completed web applications in the
>> http:// domain but wouldn't be able to list anything.
>
> Trying to solve this problem with Apache directives won't work
> because a user could still use the svn command line client to list
> the directory contents.
>
>

Ryan, I only need to limit directory listings from the web browser and
only web using the http view of the repository. Is this possible?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-08 00:13:15 CEST

This is an archived mail posted to the Subversion Users mailing list.