[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: .svn on the web? Risk

From: Johnson, Rick <JohnsonR_at_gc.adventist.org>
Date: 2006-02-02 13:47:37 CET

Rick Johnson wrote and then replied to himself

> IIS (on Windows 2003) won't serve files from a hidden directory which
> the .svn files are by default so that's enough protection for me.

Teach me to speak without trying something. IIS on Windows 2003 will
deny the existence of a hidden directory or file but will happily serve
a non-hidden file in a hidden directory. That said, IIS 6, by default,
only serves files of certain known extensions and you have to either
manually add the extensions or set the site to allow all extensions.
Since I generally use the more restrictive default setup, IIS 6 won't
serve any of the files in the .svn directories with the exception of the
readme.txt since they are all unknown (to it) extensions. That's still
enough security for me but I wish there was a way in IIS 6 to deny
access to a matched name like Apache.


To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Feb 2 13:53:51 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.