We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.
I wanted to know what the best way to do this. A few ideas:
- Global Apache configuration to deny access
- Adding .htaccess files in the public folder and all subfolders
- Cap task that changes the permissions
I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.
Source: Tips4all
The best option is to use Apache configuration.
ReplyDeleteUsing htaccess or global configuration depends mainly on if you control your server.
If you do, you can use something like
<DirectoryMatch .*\.svn/.*>
Deny From All
</DirectoryMatch>
If you don't, you can do something similar in .htaccess files with FilesMatch
One other way to protect the .svn files would be to use a redirect in the Apache config:
ReplyDeleteRedirectMatch 404 /\\.svn(/|$)
So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.
I do not like the idea of 404ing each file startig wit a dot.
ReplyDeleteI'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)
RedirectMatch 404 /\\.svn(/|$)
or a catch all cvs systems
RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)
-- outdated answer follows (see comments) --
I cant write comments yet so...
The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it !
e.g. you can access
http://myserver.com/.svn/entries
The correct rule is
RedirectMatch 404 /\\.svn(/.*|$)
I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.
ReplyDeleteI actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).
And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?
RedirectMatch 404 /\\..*(/.*|$)
I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.
A RedirectMatch will respond with a 404, which is great.
ReplyDeleteHowever, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.
Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.
I seems to me, Apache conf should be :
ReplyDelete<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>
I'm not all that fond of RewriteMatch, so I used a RewriteRule instead:
ReplyDeleteRewriteRule /\..*(/.*|$) - [R=404,L]
The hyphen means "don't do any substitution". I also could not figure out why, in the examples above, the regex had two backslashes:
/\\..*(/.*|$)
So I took one out and it works fine. I can't figure out why you would use two there. Someone care to enlighten me?
I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.
ReplyDeleteHere's the rule to achieve this:
<LocationMatch "\/\..*">
Order allow,deny
Deny from all
</LocationMatch>
Create a access rights file in your subversion server installation.
ReplyDeletee.g if you folder structure is
/svn
/svn/rights/svnauth.conf
create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf
In your svnauth.conf file define the rights as :
access rights for Foo.com
[foo.com:/trunk/source]
dev1=rw
dev2=rw
.....
This way you can control the access rights from one single file and at much granular level.
For more information peruse through the svn red book.