Deny access to .svn folders on Apache
SvnApacheDeploymentCapistranoSvn Problem Overview
We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.
I wanted to know what the best way to do this. A few ideas:
- Global Apache configuration to deny access
- Adding .htaccess files in the public folder and all subfolders
- Cap task that changes the permissions
I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.
Svn Solutions
Solution 1 - Svn
The best option is to use Apache configuration.
Using htaccess or global configuration depends mainly on if you control your server.
If you do, you can use something like
<DirectoryMatch ..svn/.> Deny From All </DirectoryMatch>
If you don't, you can do something similar in .htaccess files with FilesMatch
Solution 2 - Svn
One other way to protect the .svn files would be to use a redirect in the Apache config:
RedirectMatch 404 /\\.svn(/|$)
So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.
Solution 3 - Svn
I do not like the idea of 404ing each file startig wit a dot. I'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)
RedirectMatch 404 /\\.svn(/|$)
or a catch all cvs systems
RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)
-- outdated answer follows (see comments) --
I cant write comments yet so... The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it ! e.g. you can access http://myserver.com/.svn/entries
The correct rule is
RedirectMatch 404 /\\.svn(/.*|$)
Solution 4 - Svn
I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.
I actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).
And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?
RedirectMatch 404 /\\..*(/.*|$)
I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.
Solution 5 - Svn
I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.
Here's the rule to achieve this (until Apache 2.2 included):
<LocationMatch "\/\..*">
Order allow,deny
Deny from all
</LocationMatch>
(UPDATE) Or you can use the following (which works in Apache 2.2 and 2.4):
# Deny access to dot-files, as 404 error
# (not giving hint about potential existence to the file)
RedirectMatch 404 ".*\/\..*"
Solution 6 - Svn
A RedirectMatch will respond with a 404, which is great.
However, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.
Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.
Solution 7 - Svn
I seems to me, Apache conf should be :
<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>
Solution 8 - Svn
I'm not all that fond of RedirectMatch, so I used a RewriteRule instead:
RewriteRule /\..*(/.*|$) - [R=404,L]
The hyphen means "don't do any substitution". I also could not figure out why, in the examples above, the regex had two backslashes:
/\\..*(/.*|$)
So I took one out and it works fine. I can't figure out why you would use two there. Someone care to enlighten me?
Solution 9 - Svn
This:
RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /
can also be used if you don't want to send an error back to the user.
It's only redirecting back to the site rootpage. Also, this is a permanent redirect, so the robots won't try to reindex this URL.
Solution 10 - Svn
Apache Subversion FAQ is sugesting this solution:
# Disallow browsing of Subversion working copy administrative dirs.
<DirectoryMatch "^/.*/\.svn/">
Order deny,allow
Deny from all
</DirectoryMatch>
source: https://subversion.apache.org/faq.html#website-auto-update
Solution 11 - Svn
RedirectMatch like other directives from mod_alias is case sensitive even on case-insensitive file systems (see mod_alias documentation). So the answers above about matching and blocking files of all version control systems are not correct.
Instead of
RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)
or
RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /
something like this is necessary
RedirectMatch 404 "(?i)/\.?(cvs|svn|git|hg|bzr)"
to really block everything, because
- CVS directories are uppercase; and
- don't start with a dot (.) in front.
I hope that helps.
Solution 12 - Svn
In .htaccess on your server config file.
(1)
RewriteEngine on
RewriteRule "^(.*/)?\.git/" - [F,L]
And (2)
RedirectMatch 404 /\.git
Place this both method in .htaccess
file.
It hides any file or directory whose name begins with .git Like .git directory or .gitignore file by returning a 404.
Solution 13 - Svn
Create a access rights file in your subversion server installation.
e.g if you folder structure is
/svn
/svn/rights/svnauth.conf
create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf
In your svnauth.conf file define the rights as :
access rights for Foo.com
[foo.com:/trunk/source]
dev1=rw
dev2=rw .....
This way you can control the access rights from one single file and at much granular level.
For more information peruse through the svn red book.