Jon Simpson

Subversion and Webroot Security

27 Feb 2007 — subversion, htaccess, apache

I’ve taken up managing my deployed web applications with subversion, similar to how I manage my Wordpress installs.

However, a new issue arises. The source code to my apps is not necessarily a public domain, open source deal (like Wordpress), and there is nothing to stop someone going to http://example.com/.svn/ or http://example.com/some_directory/.svn/ and poking around at the code. This problem gets even worse if the configuration is being version controlled (think database usernames/passwords).

A fix, the aggregate of several posts on subversion-users. Add the following lines to your Apache configuration file (tested on Apache 2).

<DirectoryMatch /\.svn(/|$)>
  Order allow,deny
  deny from all
</DirectoryMatch>

Well recommended for anyone using subversion in publicly visible directories on web servers.


 Home