[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security issue when defining wrong location directive in Apache

From: Ryan Schmidt <subversion-2006Q1_at_ryandesign.com>
Date: 2006-01-17 01:28:31 CET

On Jan 17, 2006, at 00:50, Sander wrote:

> I had some repositories under my https-root ..


> BUT, when somebody would be smart and guessed a URL .. he could
> browse directly to ' https://domainname/projects/<reposname>/<file-
> to-download>' and therefore bypass the Location-based
> authentication (that looks for /svn instead of /projects in the
> URL !!) and download the repository files (in raw database format).
> So isn't it best practise to name the last part of the
> SVNParentPath / SVNPath exactly the same as the 'Location'
> directive path ?

I believe the documentation specifically advises against that, as it
could potentially confuse Apache. I don't know whether it actually
confuses Apache or not. The best-practice, though, is to not have
your repository under your document root at all. There's no reason
for it to be there.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 17 01:36:37 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.