Hello, I use "svn co" like I explain, so I can use "svn update" to simply update my projects. I think that it can be a good idea to remove read for "o" but an experimented sys admin should know that .svn directory mustn't be accessible from the web !
I use Apache and there is my configuration line which send a 404 error when a HTTP client ask for .svn directory: RedirectMatch 404 /\\.svn(/|$) So simple... Regards, Samuel ROZE. Le lundi 11 janvier 2010 à 13:05 +0200, Ivan Zahariev a écrit : > Hello guys, > > Many developers checkout the working tree directly into the web server's > public folder, and this imposes a security risk. Anyone can then point > the URL of their browser within the ".svn/text-base" directory, for > example, and access sensitive data such as previous versions of a file, > or even the source code of it, because of the ".svn-base" suffix in the > filename. This is described in more details at > "http://scottbarnham.com/blog/2008/04/22/serving-websites-from-svn-checkout-considered-harmful/";. > I know that "svn export" exists and this is the way to checkout the tree > properly and safely, but this is an extra step which developers have to > do, and you know that extra steps are usually skipped, if they could be > skipped. > > Nevertheless, I see no valid reason for the administrative ".svn" > directories to be world-wide accessible; correct me if I'm wrong. That's > why I propose that SVN creates these ".svn" directories with file > permissions which disallow "others" to enter these directories. Here is > the proposed patch against the source code of Subversion 1.6.6: > > --- ./subversion/libsvn_wc/adm_files.c-orig 2010-01-11 > 12:47:23.000000000 +0200 > +++ ./subversion/libsvn_wc/adm_files.c 2010-01-11 12:48:57.000000000 +0200 > @@ -627,7 +627,8 @@ > make_empty_adm(const char *path, apr_pool_t *pool) > { > path = svn_wc__adm_child(path, NULL, pool); > - return svn_io_dir_make_hidden(path, APR_OS_DEFAULT, pool); > + /* Protect the administrative subdir from being accessible by > "others". */ > + return svn_io_dir_make_hidden(path, (APR_OS_DEFAULT & ~(APR_WEXECUTE > | APR_WWRITE | APR_WREAD)), pool); > } > > Please let me know what you think. Should I direct this to the "dev" > mailing list? Thanks. > > Best regards, > Ivan Zahariev
