Deny access to .svn folders on Apache

Question

We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.

I wanted to know what the best way to do this. A few ideas:

• Global Apache configuration to deny access
• Adding .htaccess files in the public folder and all subfolders
• Cap task that changes the permissions

I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.

Answer 1

The best option is to use Apache configuration.

Using htaccess or global configuration depends mainly on if you control your server.

If you do, you can use something like

<DirectoryMatch .*\.svn/.*>
    Deny From All
</DirectoryMatch>

If you don't, you can do something similar in .htaccess files with FilesMatch

Answer 2

One other way to protect the .svn files would be to use a redirect in the Apache config:

RedirectMatch 404 /\\.svn(/|$)

So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.

Answer 3

I do not like the idea of 404ing each file startig wit a dot. I'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)

RedirectMatch 404 /\\.svn(/|$)

or a catch all cvs systems

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

-- outdated answer follows (see comments) --

I cant write comments yet so... The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it ! e.g. you can access http://myserver.com/.svn/entries

The correct rule is

RedirectMatch 404 /\\.svn(/.*|$)

Answer 4

I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.

I actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).

And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?

RedirectMatch 404 /\\..*(/.*|$)

I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.

Answer 5

I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.

Here's the rule to achieve this (until Apache 2.2 included):

<LocationMatch "\/\..*">
    Order allow,deny
    Deny from all
</LocationMatch>

(UPDATE) Or you can use the following (which works in Apache 2.2 and 2.4):

# Deny access to dot-files, as 404 error
# (not giving hint about potential existence to the file)
RedirectMatch 404 ".*\/\..*"

Answer 6

This:

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

can also be used if you don't want to send an error back to the user.

It's only redirecting back to the site rootpage. Also, this is a permanent redirect, so the robots won't try to reindex this URL.

Answer 7

A RedirectMatch will respond with a 404, which is great.

However, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.

Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.

Answer 8

I seems to me, Apache conf should be :

<Directory ~ "\.svn">
    Order allow,deny
    Deny from all
</Directory>

Answer 9

I'm not all that fond of RedirectMatch, so I used a RewriteRule instead:

RewriteRule /\..*(/.*|$) - [R=404,L]

The hyphen means "don't do any substitution". I also could not figure out why, in the examples above, the regex had two backslashes:

/\\..*(/.*|$)

So I took one out and it works fine. I can't figure out why you would use two there. Someone care to enlighten me?

Answer 10

Apache Subversion FAQ is sugesting this solution:

# Disallow browsing of Subversion working copy administrative dirs.
<DirectoryMatch "^/.*/\.svn/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

source: https://subversion.apache.org/faq.html#website-auto-update

Answer 11

RedirectMatch like other directives from mod_alias is case sensitive even on case-insensitive file systems (see mod_alias documentation). So the answers above about matching and blocking files of all version control systems are not correct.

Instead of

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

something like this is necessary

RedirectMatch 404 "(?i)/\.?(cvs|svn|git|hg|bzr)"

to really block everything, because

• CVS directories are uppercase; and
• don't start with a dot (.) in front.

I hope that helps.

Answer 12

In .htaccess on your server config file.

(1)

RewriteEngine on
RewriteRule "^(.*/)?\.git/" - [F,L]

And (2)

RedirectMatch 404 /\.git

Place this both method in .htaccess file.

It hides any file or directory whose name begins with .git Like .git directory or .gitignore file by returning a 404.

Answer 13

Create a access rights file in your subversion server installation.

e.g if you folder structure is

/svn

/svn/rights/svnauth.conf

create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf

In your svnauth.conf file define the rights as :

access rights for Foo.com

[foo.com:/trunk/source]

dev1=rw

dev2=rw .....

This way you can control the access rights from one single file and at much granular level.

For more information peruse through the svn red book.