Deny access to .svn folders on Apache

Question

We have a rails application in subversion that we deploy with Capistrano but have noticed that we can access the files in '/.svn', which presents a security concern.

I wanted to know what the best way to do this. A few ideas:

• Global Apache configuration to deny access
• Adding .htaccess files in the public folder and all subfolders
• Cap task that changes the permissions

I don't really like the idea of deleting the folders or using svn export, since I would like to keep the 'svn info' around.

Answer 1

RedirectMatch like other directives from mod_alias is case sensitive even on case-insensitive file systems (see mod_alias documentation). So the answers above about matching and blocking files of all version control systems are not correct.

Instead of

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

something like this is necessary

RedirectMatch 404 "(?i)/\.?(cvs|svn|git|hg|bzr)"

to really block everything, because

• CVS directories are uppercase; and
• don't start with a dot (.) in front.

I hope that helps.

Answer 2

In .htaccess on your server config file.

(1)

RewriteEngine on
RewriteRule "^(.*/)?\.git/" - [F,L]

And (2)

RedirectMatch 404 /\.git

Place this both method in .htaccess file.

It hides any file or directory whose name begins with .git Like .git directory or .gitignore file by returning a 404.

Answer 3

Apache Subversion FAQ is sugesting this solution:

# Disallow browsing of Subversion working copy administrative dirs.
<DirectoryMatch "^/.*/\.svn/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

source: https://subversion.apache.org/faq.html#website-auto-update

Answer 4

I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.

Here's the rule to achieve this (until Apache 2.2 included):

<LocationMatch "\/\..*">
    Order allow,deny
    Deny from all
</LocationMatch>

(UPDATE) Or you can use the following (which works in Apache 2.2 and 2.4):

# Deny access to dot-files, as 404 error
# (not giving hint about potential existence to the file)
RedirectMatch 404 ".*\/\..*"

Answer 5

I'm not all that fond of RedirectMatch, so I used a RewriteRule instead:

RewriteRule /\..*(/.*|$) - [R=404,L]

The hyphen means "don't do any substitution". I also could not figure out why, in the examples above, the regex had two backslashes:

/\\..*(/.*|$)

So I took one out and it works fine. I can't figure out why you would use two there. Someone care to enlighten me?

Answer 6

This:

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /

can also be used if you don't want to send an error back to the user.

It's only redirecting back to the site rootpage. Also, this is a permanent redirect, so the robots won't try to reindex this URL.

Answer 7

I do not like the idea of 404ing each file startig wit a dot. I'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)

RedirectMatch 404 /\\.svn(/|$)

or a catch all cvs systems

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

-- outdated answer follows (see comments) --

I cant write comments yet so... The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it ! e.g. you can access http://myserver.com/.svn/entries

The correct rule is

RedirectMatch 404 /\\.svn(/.*|$)

Answer 8

I seems to me, Apache conf should be :

<Directory ~ "\.svn">
    Order allow,deny
    Deny from all
</Directory>

Answer 9

I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.

I actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).

And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?

RedirectMatch 404 /\\..*(/.*|$)

I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.

Answer 10

A RedirectMatch will respond with a 404, which is great.

However, if "Options +Indexes" is enabled, then users will still be able to see the '.svn' directory from the Parent directory.

Users won't be able to enter the directory-- this is where the '404 Not Found' comes in. However, they will be able to see the directory and provide clues to would be attackers.

Answer 11

One other way to protect the .svn files would be to use a redirect in the Apache config:

RedirectMatch 404 /\\.svn(/|$)

So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.

Answer 12

Create a access rights file in your subversion server installation.

e.g if you folder structure is

/svn

/svn/rights/svnauth.conf

create a configuration file and enter the path of that file in your apache subversion configuration file which you would normally find at /etc/httpd/conf.d/subversion.conf

In your svnauth.conf file define the rights as :

access rights for Foo.com

[foo.com:/trunk/source]

dev1=rw

dev2=rw .....

This way you can control the access rights from one single file and at much granular level.

For more information peruse through the svn red book.

Answer 13

The best option is to use Apache configuration.

Using htaccess or global configuration depends mainly on if you control your server.

If you do, you can use something like

<DirectoryMatch .*\.svn/.*>
    Deny From All
</DirectoryMatch>

If you don't, you can do something similar in .htaccess files with FilesMatch