Hello guys,
Many developers checkout the working tree directly into the web server's
public folder, and this imposes a security risk. Anyone can then point
the URL of their browser within the ".svn/text-base" directory, for
example, and access sensitive data such as previous versions of a file,
or even the source code of it, because of the ".svn-base" suffix in the
filename. This is described in more details at
"http://scottbarnham.com/blog/2008/04/22/serving-websites-from-svn-checkout-considered-harmful/".
I know that "svn export" exists and this is the way to checkout the tree
properly and safely, but this is an extra step which developers have to
do, and you know that extra steps are usually skipped, if they could be
skipped.
Nevertheless, I see no valid reason for the administrative ".svn"
directories to be world-wide accessible; correct me if I'm wrong. That's
why I propose that SVN creates these ".svn" directories with file
permissions which disallow "others" to enter these directories. Here is
the proposed patch against the source code of Subversion 1.6.6:
--- ./subversion/libsvn_wc/adm_files.c-orig 2010-01-11
12:47:23.000000000 +0200
+++ ./subversion/libsvn_wc/adm_files.c 2010-01-11 12:48:57.000000000 +0200
@@ -627,7 +627,8 @@
make_empty_adm(const char *path, apr_pool_t *pool)
{
path = svn_wc__adm_child(path, NULL, pool);
- return svn_io_dir_make_hidden(path, APR_OS_DEFAULT, pool);
+ /* Protect the administrative subdir from being accessible by
"others". */
+ return svn_io_dir_make_hidden(path, (APR_OS_DEFAULT & ~(APR_WEXECUTE
| APR_WWRITE | APR_WREAD)), pool);
}
Please let me know what you think. Should I direct this to the "dev"
mailing list? Thanks.
Best regards,
Ivan Zahariev
Received on 2010-01-11 12:06:12 CET