[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security issue when defining wrong location directive in Apache

From: Phil Endecott <spam_from_subversion_users_at_chezphil.org>
Date: 2006-01-17 01:32:43 CET

Sander wrote:

> I had some repositories under my https-root ..
>
> My Apache conf was:

I assume DocumentRoot /var/www

> <Location /svn>
> DAV svn
> SVNParentPath /var/www/domainname/httpsdocs/projects
>
> AuthType Basic
> AuthName "Subversion Repository Access"
> AuthUserFile /var/www/domainname/private/.xsinfo
>
> </Location>
>
> This looks quite ok doesnt it ?

No it doesn't look OK. You have put your AuthUserFile inside your
DocumentRoot. This is at best bad practice and at worst a huge security
hole; see http://httpd.apache.org/docs/2.0/mod/mod_auth.html and look at
the "Security" box under "AuthUserFile".

Your issue with your subversion repository is essentially the same.

Don't put things under your DocumentRoot unless you want to serve them.

--Phil.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 17 01:42:59 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.