Sunday, June 10, 2012

Security: Deny access to .hg/* via mod_rewrite


My website is a mercurial repository with multiple subrepositories. I need to make sure I'm denying access to all files in every .hg directory on the server.



For example, I have http://example.com/.hg/ and http://example.com/subrepo1/.hg/



I've added the following to .htaccess:




<Files ~ "^\.(hg|ht)">
Order allow,deny
Deny from all
</Files>



This is a good start, as it denies access to files beginning with .hg and .ht , but it doesn't deny access to the files inside .hg directories, so if someone types, for instance http://example.com/.hg/branch , the branch file will be displayed in their browser.



What do I need to do in order to make sure these files are not displayed to the user? I'd like to send either a 403 or a 404 back to the browser if someone tries to access a file inside any .hg directory on my server.



This question is also relevant for anyone whose website is a subversion / svn repository.


Source: Tips4all

3 comments:

  1. If you don't have to use mod_rewrite, then you can just do this:

    RedirectMatch 404 /\\.hg(/|$)


    (Full disclosure: answer adapted for Mercurial from this question about doing the same thing for Subversion).

    ReplyDelete
  2. You always have the possibility to place .htaccess files in these folders and deny all access within the Folder.

    I'm assuming you want a solution, where you don't have to put the .htaccess files in every folder and subfolder?

    Try the following (assuming you have ssh access to the webserver):


    Change into the DocumentRoot of your site
    create a .htaccess file


    Content:

    Order deny, allow
    Deny from all



    Execute the following command:

    find . -type d -name .hg -exec cp ./.htaccess {} \;
    Afterwards delete the .htaccess file from your document root again

    ReplyDelete
  3. This is much less of a concern if you just keep the repositories outside of your DocumentRoot altogether. You're probably using hgweb or hgwebdir, which don't require the files be inside the DocumentRoot, so don't do it. Put them in /home/hg/repos or something and configure your hgwebdir.conf to look there.

    The only reason to have the repos inside the DocumentRoot would be enable the static-http URL form for mercurial, but it's very slow and hgweb is always preferred when it's possible.

    ReplyDelete