[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security issue when defining wrong location directive in Apache

From: FG <fgatwork_at_verizon.net>
Date: 2006-01-17 06:48:50 CET

Sander wrote:
> Thanks for your replies.
> The AuthUserFile IS outside the Documentroot. Maybe it looks a little
> bit confusing, but it's a Plesk machine .. webroot starts at
> */httpsdocs (or httpdocs for non-SSL). Sorry for not mentioning that.
> So (for example):
> Documentroot = /var/www/domainname/httpsdocs/
> SVNParentPath = /var/www/domainname/httpsdocs/projects/
> 2- placing SVNParentPath (and all files/repos below that) outside the
> documentroot, make it Apache readable (and writable i guess ?).
> Option 2 might be the best option, and i think i'm going for that ...
> but can you guys tell me if option 1 will be secure enough also (that
> way the files will be included in daily backup).
> With regards,
> Sander

Option 2 is the best option, and one that Ryan and Phil both hinted at.
What you have done is created two separate ways of getting to that
directory structure. One method as a shortcut off your DocumentRoot and
the other as an Alias. What you describe in option 2 is what you need
to do.

The <Location> directive can be looked at (simplifying it) as both a
<Directory> tag and an <Alias> tag at the same time. So you should put
it outside of your DocumentRoot.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 17 06:50:02 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.