Deny access to .svn folders on Apache

svn apache deployment capistrano

1,068

Solution 1

The best option is to use Apache configuration.

Using htaccess or global configuration depends mainly on if you control your server.

If you do, you can use something like

<DirectoryMatch .*\.svn/.*>
    Deny From All
</DirectoryMatch>

If you don't, you can do something similar in .htaccess files with FilesMatch

Solution 2

One other way to protect the .svn files would be to use a redirect in the Apache config:

RedirectMatch 404 /\\.svn(/|$)

So instead of getting a 403 forbidden (and providing clues to would be attackers) you get a 404, which is what we would expect when randomly typing in paths.

Solution 3

I do not like the idea of 404ing each file startig wit a dot. I'd use a more selective approach, either with the cvs I'm using in the project (svn in the example)

RedirectMatch 404 /\\.svn(/|$)

or a catch all cvs systems

RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

-- outdated answer follows (see comments) --

I cant write comments yet so... The answer of csexton is incorrect, because an user cannot access the .svn folder, but can access any files inside it ! e.g. you can access http://myserver.com/.svn/entries

The correct rule is

RedirectMatch 404 /\\.svn(/.*|$)

Solution 4

I think Riccardo Galli got it right. Even apache already had .svn setup as forbidden for me, but .svn/entries was certainly available...exposing my svn server, port number, usernames, etc.

I actually figure, why not restrict .git as a preventative measure (say you don't use git yet but may someday at which time you will not be thinking about directory restrictions).

And then I thought, why not restrict everything that should be hidden anyway? Can anyone conceive of a problem with this?

RedirectMatch 404 /\\..*(/.*|$)

I added the '.*' after the initial period - only difference from Riccardo. Seems to 404 .svn, .git, .blah, etc.

Solution 5

I would rather deny access to all dot-files (eg: .htaccess, .svn, .xxx, etc.), as they normally don't need to be web-accessible.

Here's the rule to achieve this (until Apache 2.2 included):

<LocationMatch "\/\..*">
    Order allow,deny
    Deny from all
</LocationMatch>

(UPDATE) Or you can use the following (which works in Apache 2.2 and 2.4):

# Deny access to dot-files, as 404 error
# (not giving hint about potential existence to the file)
RedirectMatch 404 ".*\/\..*"

View more solutions

1,068

Author by

user2890149

Updated on February 15, 2020

Comments

user2890149 over 4 years

How do I get the event handler of my dynamic button in the gridpane?

Stage window;

public void start(Stage primaryStart) throws Exception{
    window = primaryStart;
    window.setTitle("Minesweeper (Eventually)");
    //GridPane with 10px padding around edge
    GridPane grid = new GridPane();
    grid.setPadding(new Insets(10, 10, 10, 10));
    for(int i = 0; i < 5; i++){
        for(int j = 0; j<5; j++){
            Button button = new Button("[]");
            GridPane.setConstraints(button, i,j);
            grid.getChildren().add(button);
        }
    }
    Scene scene = new Scene(grid, 300, 200);
    window.setScene(scene);
    window.show();
    button.setOnAction(e -> {System.out.println("Something");});
}

Because setOnAction gives me an error when refering to button object.