Re: .svn on the web? Risk

On Feb 1, 2006, at 19:46, Jonathan Powell wrote:

> I was wondering if there was a risk to having the .svn folders on your
> website. Is it possible to hack into your source code because of
> this or
> are you giving out too much information?

Unless you tell it not to, Apache and most other web servers will
happily serve any file you put in your document root. So if you have /
index.php which contains some sensitive database passwords, then
anyone can access /.svn/text-base/index.php.svn-base and read 'em.
[1] So you'd best block access to those .svn directories.

It's quite easy though. You can just drop this in your httpd.conf:

<Files ".svn">
        Order allow,deny
        Deny from all
</Files>
<DirectoryMatch "/\.svn/">
        Order allow,deny
        Deny from all
</DirectoryMatch>

This will give the visitor a "403 Forbidden" message if they try to
access your .svn directories.

I think I much prefer this sneakier one-liner though:

RedirectMatch 404 /\.svn(/|$)

It gives a "404 Not Found" message, so nobody will have any idea
you've got a working copy up there. This method won't put anything
into the Apache error log either when someone tries to access one of
these directories; whether you consider that a good or bad thing is
up to you.

[1] Actually I just tried this and it seems that while Lighty 1.4.9
will happily show you the PHP source, Apache 2.2.0 will try to
execute the svn-base file as PHP code. But that's probably not a good
idea either, since your code was probably not designed to work from
there. I don't know what earlier Apaches do.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Feb 1 22:30:53 2006