[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Forbidding directory listing

From: Ryan Schmidt <subversion-2008c_at_ryandesign.com>
Date: Mon, 7 Jul 2008 17:33:33 -0500

On Jul 7, 2008, at 17:12, Patrick Krekelberg wrote:

> On Jul 7, 2008, at 3:26 PM, Ryan Schmidt wrote:
>> On Jul 7, 2008, at 15:05, Patrick Krekelberg wrote:
>>> I have a Windows server which is running Apache 2 with a number
>>> of repositories. I have one Location on the "insecure" HTTP
>>> domain which is being accessed in httpd.conf like this:
>>> <Location />
>>> DAV svn
>>> SVNListParentPath Off
>>> SVNParentPath //myServer/SVN/public
>>> </Location>
>>> This is allowing an "insecure" unauthenticated connection to a
>>> specific directory where I have a number of repositories intended
>>> for business units to release code. I have a "secure" method for
>>> accessing this same directory in my ssl.conf file:
>>> <Location /pub>
>>> DAV svn
>>> SVNListParentPath On
>>> SVNParentPath //myServer/SVN/public
>>> SSLRequireSSL
>>> AuthType SSPI
>>> SSPIAuth On
>>> SSPIAuthoritative On
>>> SSPIDomain myActiveDirectoryServer
>>> SSPIOmitDomain on
>>> SSPIUsernameCase lower
>>> SSPIPerRequestAuth Off
>>> SSPIOfferBasic On
>>> AuthName "my Public Repository"
>>> Require valid-user
>>> </Location>
>>> The idea is that developers could create folders and post
>>> releases to the public repository using the secure, authenticated
>>> view, but clients could access the same files using the insecure
>>> link.
>>> So, I can go to http://svn.mydomain.com/ or https://
>>> svn.mydomain.com/pub/ to get to the same place. The problem is,
>>> if I go to http://svn.mydomain.com/aRepositoryName I get a
>>> directory listing of the folders in the repository!! I want to be
>>> able to send a client a URL like http://svn.mydomain.com/
>>> aRepositoryName/ClientName/ProjectName/myfile.zip while knowing
>>> they cannot go down a few folders and look at other client releases.
>>> I have tried adding Options -Indexes to the Location tag in the
>>> httpd.conf file but this does nothing. What am I missing? If I
>>> could make it impossible to list any folders using the http://
>>> version of the access that would be perfect. That way clients
>>> could download files, but also view completed web applications in
>>> the http:// domain but wouldn't be able to list anything.
>> Trying to solve this problem with Apache directives won't work
>> because a user could still use the svn command line client to list
>> the directory contents.
> Ryan, I only need to limit directory listings from the web browser
> and only web using the http view of the repository. Is this possible?

This will cause the browser to respond with a 404 (not found) message
if anyone tries to access a directory (i.e. a URL ending with a slash):

RedirectMatch 404 /$

This way would work if your Subversion repositories are hosted in a
dedicated vhost (hostname).

If instead your Subversion repositories share a vhost (hostname) with
other content, you could restrict the 404 behavior to just the part
of your URL space in which you serve repositories. For example if all
your repositories are in http://www.example.com/svn/ then:

RedirectMatch 404 ^/svn/(.*/)?$

Clever users who try to guess your repository or directory names will
be able to tell whether their guess is right or not -- If you're
using SVNParentPath and they request a repository that does not exist
they'll get "Could not open the requested SVN filesystem" but if they
try to access a repository that does exist they'll get "The requested
URL /foo/ was not found on this server". Also, for repositories that
exist, and for paths within a repository that exist, requesting the
URL without a slash will redirect to the URL with a slash added. For
items that don't exist, this redirect won't happen. So this is not a
completely bullet-proof solution.

And as I said, a Subversion client will still be able to list the
contents of the directories. So it really won't prevent a determined
individual from seeing the names of items in your repository.

To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-08 00:34:02 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.