[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Forbidding directory listing

From: Ryan Schmidt <subversion-2008c_at_ryandesign.com>
Date: Mon, 7 Jul 2008 20:49:36 -0500

On Jul 7, 2008, at 20:16, Patrick Krekelberg wrote:

>>> Ryan, I only need to limit directory listings from the web
>>> browser and only web using the http view of the repository. Is
>>> this possible?
>>
>> This will cause the browser to respond with a 404 (not found)
>> message if anyone tries to access a directory (i.e. a URL ending
>> with a slash):
>>
>> RedirectMatch 404 /$
>>
>> This way would work if your Subversion repositories are hosted in
>> a dedicated vhost (hostname).
>>
>> If instead your Subversion repositories share a vhost (hostname)
>> with other content, you could restrict the 404 behavior to just
>> the part of your URL space in which you serve repositories. For
>> example if all your repositories are in http://www.example.com/
>> svn/ then:
>>
>> RedirectMatch 404 ^/svn/(.*/)?$
>>
>> Clever users who try to guess your repository or directory names
>> will be able to tell whether their guess is right or not -- If
>> you're using SVNParentPath and they request a repository that does
>> not exist they'll get "Could not open the requested SVN
>> filesystem" but if they try to access a repository that does exist
>> they'll get "The requested URL /foo/ was not found on this
>> server". Also, for repositories that exist, and for paths within a
>> repository that exist, requesting the URL without a slash will
>> redirect to the URL with a slash added. For items that don't
>> exist, this redirect won't happen. So this is not a completely
>> bullet-proof solution.
>>
>> And as I said, a Subversion client will still be able to list the
>> contents of the directories. So it really won't prevent a
>> determined individual from seeing the names of items in your
>> repository.
>
> This is of course not perfect but oddly it works nicely for my
> uses. This way I can have developers access the repositories to
> post files using Tortoise but clients viewing via the web can only
> see the specific files. One weird thing is the one RedirectMatch in
> the Location tag of the httpd.conf resulted in the same effect on
> all of the secure repositories as well. Is there any way to un-set
> the RedirectMatch in ssl.conf for the files which are accessed
> using HTTPS?

So it sounds like you have two vhost directives, one for http and one
for https, and from both of these you are including a common
configuration file for your svn repositories. If so, then don't put
the RedirectMatch into the common svn configuration file, but put it
in the configuration for only the http vhost, but not into the
configuration for the https vhost.

Alternately, I believe that Apache sets the environment variable
"HTTPS" to some value (maybe "yes" or "1"?) if SSL is being used. So
if you can find a way to set Apache directives conditionally based on
whether or not an environment variable is set, you can test for the
HTTPS variable. I can't recall off the top of my head a way to do
this. For the CustomLog directive you can add a parameter like env=!
HTTPS but I don't know if that can be used on other Apache directives
or only on the CustomLog directive.

Please remember to Reply All so your reply goes to the list too, not
just to me.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-07-08 03:50:11 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.