We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.
I wanted to know what the best way to do this. A few ideas:
- Global Apache configuration to deny access
- Adding .htaccess files in the public folder and all subfolders
- Cap task that changes the permissions
I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.
Source: Tips4all, CCNA FINAL EXAM
The best option is to use Apache configuration.
ReplyDeleteUsing htaccess or global configuration depends mainly on if you control your server.
If you do, you can use something like
<DirectoryMatch .*\.svn/.*>
Deny From All
</DirectoryMatch>
If you don't, you can do something similar in .htaccess files with FilesMatch
One other way to protect the .svn files would be to use a redirect in the Apache config:
ReplyDeleteRedirectMatch 404 /\\.svn(/|$)
So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.
I do not like the idea of 404ing each file startig wit a dot.
ReplyDeleteI'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)
RedirectMatch 404 /\\.svn(/|$)
or a catch all cvs systems
RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)
-- outdated answer follows (see comments) --
I cant write comments yet so...
The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it !
e.g. you can access
http://myserver.com/.svn/entries
The correct rule is
RedirectMatch 404 /\\.svn(/.*|$)
I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.
ReplyDeleteI actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).
And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?
RedirectMatch 404 /\\..*(/.*|$)
I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.
A RedirectMatch will respond with a 404, which is great.
ReplyDeleteHowever, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.
Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.
I seems to me, Apache conf should be :
ReplyDelete<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>
I'm not all that fond of RewriteMatch, so I used a RewriteRule instead:
ReplyDeleteRewriteRule /\..*(/.*|$) - [R=404,L]
The hyphen means "don't do any substitution". I also could not figure out why, in the examples above, the regex had two backslashes:
/\\..*(/.*|$)
So I took one out and it works fine. I can't figure out why you would use two there. Someone care to enlighten me?
I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.
ReplyDeleteHere's the rule to achieve this:
<LocationMatch "\/\..*">
Order allow,deny
Deny from all
</LocationMatch>
Create a access rights file in your subversion server installation.
ReplyDeletee.g if you folder structure is
/svn
/svn/rights/svnauth.conf
create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf
In your svnauth.conf file define the rights as :
access rights for Foo.com
[foo.com:/trunk/source]
dev1=rw
dev2=rw
.....
This way you can control the access rights from one single file and at much granular level.
For more information peruse through the svn red book.