Subversion security issues – .svn directory has your source code in it

Stop Publishing Your Source!

Well, unless you’re working on an Open Source project that is.
Many of the developers I have worked with on web based apps use a working copy for development purposes or even for staging servers (as opposed to exporting from Subversion.) The problem with this is that little .svn directory has lots of information in it. Including copies of the checked out version of your code. So someone that is creative can actually see the source if you do not protect that directory. What to do?

System-wide Lockdown in http.config

If you have the access, this is the way you want to go. Lock down the server and life will be good.

1
2
3
4
5
6
7
8
9
$ sudo vi /etc/httpd/conf/httpd.conf
...
# somewhere (preferibly in a logical place
# near other directory tags) add...
<Directory ~ ".*\.svn">
    Order allow,deny
    Deny from all
    Satisfy All
</Directory>

.htaccess level

Personally I would do this even if you change the server config, but that’s just me, I’m just paranoid.

1
2
3
4
5
6
7
$ cd httpdocs
# or public_html or whatever your
# web accessible root directory is
$ echo '
        RewriteEngine on
        RewriteRule ^(.*/)?\.svn/ - [F,L]
'
>> .htaccess

Now help out the rest of your team

One last step, check that .htaccess file into subversion and you’ll protect everyones’ installations.

Category(s): Code Snippets, Command Line, Server Administration, Source Control, Subversion, Web Servers
Tags: , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam protection by WP Captcha-Free