Re: Security issue when defining wrong location directive in Apache

From: Ryan Schmidt <subversion-2006Q1_at_ryandesign.com>
Date: 2006-01-17 01:28:31 CET

On Jan 17, 2006, at 00:50, Sander wrote:

> I had some repositories under my https-root ..

[snip]

> BUT, when somebody would be smart and guessed a URL .. he could
> browse directly to ' https://domainname/projects/<reposname>/<file-
> to-download>' and therefore bypass the Location-based
> authentication (that looks for /svn instead of /projects in the
> URL !!) and download the repository files (in raw database format).
>
> So isn't it best practise to name the last part of the
> SVNParentPath / SVNPath exactly the same as the 'Location'
> directive path ?

I believe the documentation specifically advises against that, as it
could potentially confuse Apache. I don't know whether it actually
confuses Apache or not. The best-practice, though, is to not have
your repository under your document root at all. There's no reason
for it to be there.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 17 01:36:37 2006

This message: [ Message body ]
Next message: Phil Endecott: "Re: Security issue when defining wrong location directive in Apache"
Previous message: Ryan Schmidt: "Re: Subversion hooks directory as a Symbolic link."
In reply to: Sander: "Security issue when defining wrong location directive in Apache"
Next in thread: Phil Endecott: "Re: Security issue when defining wrong location directive in Apache"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]