You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Patrick Krekelberg <pa...@bellapk.com> on 2008/07/07 20:05:28 UTC

Forbidding directory listing

Hi,

I have a Windows server which is running Apache 2 with a number of  
repositories. I have one Location on the "insecure" HTTP domain which  
is being accessed in httpd.conf like this:

<Location />
DAV svn
SVNListParentPath Off
SVNParentPath //myServer/SVN/public
</Location>

This is allowing an "insecure" unauthenticated connection to a  
specific directory where I have a number of repositories intended for  
business units to release code. I have a "secure" method for accessing  
this same directory in my ssl.conf file:

<Location /pub>
DAV svn
SVNListParentPath On
SVNParentPath //myServer/SVN/public

SSLRequireSSL
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIDomain myActiveDirectoryServer
SSPIOmitDomain on
SSPIUsernameCase lower
SSPIPerRequestAuth Off
SSPIOfferBasic On
AuthName "my Public Repository"
Require valid-user
</Location>

The idea is that developers could create folders and post releases to  
the public repository using the secure, authenticated view, but  
clients could access the same files using the insecure link.

So, I can go to http://svn.mydomain.com/ or https://svn.mydomain.com/pub/ 
  to get to the same place. The problem is, if I go to http://svn.mydomain.com/aRepositoryName 
  I get a directory listing of the folders in the repository!! I want  
to be able to send a client a URL like http://svn.mydomain.com/aRepositoryName/ClientName/ProjectName/myfile.zip 
  while knowing they cannot go down a few folders and look at other  
client releases.

I have tried adding Options -Indexes to the Location tag in the  
httpd.conf file but this does nothing. What am I missing? If I could  
make it impossible to list any folders using the http:// version of  
the access that would be perfect. That way clients could download  
files, but also view completed web applications in the http:// domain  
but wouldn't be able to list anything.

Thanks,
-Patrick

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Forbidding directory listing

Posted by Ryan Schmidt <su...@ryandesign.com>.

On Jul 7, 2008, at 20:16, Patrick Krekelberg wrote:

>>> Ryan, I only need to limit directory listings from the web  
>>> browser and only web using the http view of the repository. Is  
>>> this possible?
>>
>> This will cause the browser to respond with a 404 (not found)  
>> message if anyone tries to access a directory (i.e. a URL ending  
>> with a slash):
>>
>> RedirectMatch 404 /$
>>
>> This way would work if your Subversion repositories are hosted in  
>> a dedicated vhost (hostname).
>>
>> If instead your Subversion repositories share a vhost (hostname)  
>> with other content, you could restrict the 404 behavior to just  
>> the part of your URL space in which you serve repositories. For  
>> example if all your repositories are in http://www.example.com/ 
>> svn/ then:
>>
>> RedirectMatch 404 ^/svn/(.*/)?$
>>
>> Clever users who try to guess your repository or directory names  
>> will be able to tell whether their guess is right or not -- If  
>> you're using SVNParentPath and they request a repository that does  
>> not exist they'll get "Could not open the requested SVN  
>> filesystem" but if they try to access a repository that does exist  
>> they'll get "The requested URL /foo/ was not found on this  
>> server". Also, for repositories that exist, and for paths within a  
>> repository that exist, requesting the URL without a slash will  
>> redirect to the URL with a slash added. For items that don't  
>> exist, this redirect won't happen. So this is not a completely  
>> bullet-proof solution.
>>
>> And as I said, a Subversion client will still be able to list the  
>> contents of the directories. So it really won't prevent a  
>> determined individual from seeing the names of items in your  
>> repository.
>
> This is of course not perfect but oddly it works nicely for my  
> uses. This way I can have developers access the repositories to  
> post files using Tortoise but clients viewing via the web can only  
> see the specific files. One weird thing is the one RedirectMatch in  
> the Location tag of the httpd.conf resulted in the same effect on  
> all of the secure repositories as well. Is there any way to un-set  
> the RedirectMatch in ssl.conf for the files which are accessed  
> using HTTPS?


So it sounds like you have two vhost directives, one for http and one  
for https, and from both of these you are including a common  
configuration file for your svn repositories. If so, then don't put  
the RedirectMatch into the common svn configuration file, but put it  
in the configuration for only the http vhost, but not into the  
configuration for the https vhost.

Alternately, I believe that Apache sets the environment variable  
"HTTPS" to some value (maybe "yes" or "1"?) if SSL is being used. So  
if you can find a way to set Apache directives conditionally based on  
whether or not an environment variable is set, you can test for the  
HTTPS variable. I can't recall off the top of my head a way to do  
this. For the CustomLog directive you can add a parameter like env=! 
HTTPS but I don't know if that can be used on other Apache directives  
or only on the CustomLog directive.

Please remember to Reply All so your reply goes to the list too, not  
just to me.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Forbidding directory listing

Posted by Ryan Schmidt <su...@ryandesign.com>.

On Jul 7, 2008, at 17:12, Patrick Krekelberg wrote:

> On Jul 7, 2008, at 3:26 PM, Ryan Schmidt wrote:
>
>> On Jul 7, 2008, at 15:05, Patrick Krekelberg wrote:
>>
>>> I have a Windows server which is running Apache 2 with a number  
>>> of repositories. I have one Location on the "insecure" HTTP  
>>> domain which is being accessed in httpd.conf like this:
>>>
>>> <Location />
>>> DAV svn
>>> SVNListParentPath Off
>>> SVNParentPath //myServer/SVN/public
>>> </Location>
>>>
>>> This is allowing an "insecure" unauthenticated connection to a  
>>> specific directory where I have a number of repositories intended  
>>> for business units to release code. I have a "secure" method for  
>>> accessing this same directory in my ssl.conf file:
>>>
>>> <Location /pub>
>>> DAV svn
>>> SVNListParentPath On
>>> SVNParentPath //myServer/SVN/public
>>>
>>> SSLRequireSSL
>>> AuthType SSPI
>>> SSPIAuth On
>>> SSPIAuthoritative On
>>> SSPIDomain myActiveDirectoryServer
>>> SSPIOmitDomain on
>>> SSPIUsernameCase lower
>>> SSPIPerRequestAuth Off
>>> SSPIOfferBasic On
>>> AuthName "my Public Repository"
>>> Require valid-user
>>> </Location>
>>>
>>> The idea is that developers could create folders and post  
>>> releases to the public repository using the secure, authenticated  
>>> view, but clients could access the same files using the insecure  
>>> link.
>>>
>>> So, I can go to http://svn.mydomain.com/ or https:// 
>>> svn.mydomain.com/pub/ to get to the same place. The problem is,  
>>> if I go to http://svn.mydomain.com/aRepositoryName I get a  
>>> directory listing of the folders in the repository!! I want to be  
>>> able to send a client a URL like http://svn.mydomain.com/ 
>>> aRepositoryName/ClientName/ProjectName/myfile.zip while knowing  
>>> they cannot go down a few folders and look at other client releases.
>>>
>>> I have tried adding Options -Indexes to the Location tag in the  
>>> httpd.conf file but this does nothing. What am I missing? If I  
>>> could make it impossible to list any folders using the http://  
>>> version of the access that would be perfect. That way clients  
>>> could download files, but also view completed web applications in  
>>> the http:// domain but wouldn't be able to list anything.
>>
>> Trying to solve this problem with Apache directives won't work  
>> because a user could still use the svn command line client to list  
>> the directory contents.
>
> Ryan, I only need to limit directory listings from the web browser  
> and only web using the http view of the repository. Is this possible?

This will cause the browser to respond with a 404 (not found) message  
if anyone tries to access a directory (i.e. a URL ending with a slash):

RedirectMatch 404 /$

This way would work if your Subversion repositories are hosted in a  
dedicated vhost (hostname).

If instead your Subversion repositories share a vhost (hostname) with  
other content, you could restrict the 404 behavior to just the part  
of your URL space in which you serve repositories. For example if all  
your repositories are in http://www.example.com/svn/ then:

RedirectMatch 404 ^/svn/(.*/)?$

Clever users who try to guess your repository or directory names will  
be able to tell whether their guess is right or not -- If you're  
using SVNParentPath and they request a repository that does not exist  
they'll get "Could not open the requested SVN filesystem" but if they  
try to access a repository that does exist they'll get "The requested  
URL /foo/ was not found on this server". Also, for repositories that  
exist, and for paths within a repository that exist, requesting the  
URL without a slash will redirect to the URL with a slash added. For  
items that don't exist, this redirect won't happen. So this is not a  
completely bullet-proof solution.

And as I said, a Subversion client will still be able to list the  
contents of the directories. So it really won't prevent a determined  
individual from seeing the names of items in your repository.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Forbidding directory listing

Posted by Patrick Krekelberg <pa...@bellapk.com>.

On Jul 7, 2008, at 3:26 PM, Ryan Schmidt wrote:

>
> On Jul 7, 2008, at 15:05, Patrick Krekelberg wrote:
>
>> I have a Windows server which is running Apache 2 with a number of  
>> repositories. I have one Location on the "insecure" HTTP domain  
>> which is being accessed in httpd.conf like this:
>>
>> <Location />
>> DAV svn
>> SVNListParentPath Off
>> SVNParentPath //myServer/SVN/public
>> </Location>
>>
>> This is allowing an "insecure" unauthenticated connection to a  
>> specific directory where I have a number of repositories intended  
>> for business units to release code. I have a "secure" method for  
>> accessing this same directory in my ssl.conf file:
>>
>> <Location /pub>
>> DAV svn
>> SVNListParentPath On
>> SVNParentPath //myServer/SVN/public
>>
>> SSLRequireSSL
>> AuthType SSPI
>> SSPIAuth On
>> SSPIAuthoritative On
>> SSPIDomain myActiveDirectoryServer
>> SSPIOmitDomain on
>> SSPIUsernameCase lower
>> SSPIPerRequestAuth Off
>> SSPIOfferBasic On
>> AuthName "my Public Repository"
>> Require valid-user
>> </Location>
>>
>> The idea is that developers could create folders and post releases  
>> to the public repository using the secure, authenticated view, but  
>> clients could access the same files using the insecure link.
>>
>> So, I can go to http://svn.mydomain.com/ or https://svn.mydomain.com/pub/ 
>>  to get to the same place. The problem is, if I go to http://svn.mydomain.com/aRepositoryName 
>>  I get a directory listing of the folders in the repository!! I  
>> want to be able to send a client a URL like http://svn.mydomain.com/aRepositoryName/ClientName/ProjectName/myfile.zip 
>>  while knowing they cannot go down a few folders and look at other  
>> client releases.
>>
>> I have tried adding Options -Indexes to the Location tag in the  
>> httpd.conf file but this does nothing. What am I missing? If I  
>> could make it impossible to list any folders using the http://  
>> version of the access that would be perfect. That way clients could  
>> download files, but also view completed web applications in the  
>> http:// domain but wouldn't be able to list anything.
>
> Trying to solve this problem with Apache directives won't work  
> because a user could still use the svn command line client to list  
> the directory contents.
>
>


Ryan, I only need to limit directory listings from the web browser and  
only web using the http view of the repository. Is this possible?


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: Forbidding directory listing

Posted by Ryan Schmidt <su...@ryandesign.com>.

On Jul 7, 2008, at 15:05, Patrick Krekelberg wrote:

> I have a Windows server which is running Apache 2 with a number of  
> repositories. I have one Location on the "insecure" HTTP domain  
> which is being accessed in httpd.conf like this:
>
> <Location />
> DAV svn
> SVNListParentPath Off
> SVNParentPath //myServer/SVN/public
> </Location>
>
> This is allowing an "insecure" unauthenticated connection to a  
> specific directory where I have a number of repositories intended  
> for business units to release code. I have a "secure" method for  
> accessing this same directory in my ssl.conf file:
>
> <Location /pub>
> DAV svn
> SVNListParentPath On
> SVNParentPath //myServer/SVN/public
>
> SSLRequireSSL
> AuthType SSPI
> SSPIAuth On
> SSPIAuthoritative On
> SSPIDomain myActiveDirectoryServer
> SSPIOmitDomain on
> SSPIUsernameCase lower
> SSPIPerRequestAuth Off
> SSPIOfferBasic On
> AuthName "my Public Repository"
> Require valid-user
> </Location>
>
> The idea is that developers could create folders and post releases  
> to the public repository using the secure, authenticated view, but  
> clients could access the same files using the insecure link.
>
> So, I can go to http://svn.mydomain.com/ or https:// 
> svn.mydomain.com/pub/ to get to the same place. The problem is, if  
> I go to http://svn.mydomain.com/aRepositoryName I get a directory  
> listing of the folders in the repository!! I want to be able to  
> send a client a URL like http://svn.mydomain.com/aRepositoryName/ 
> ClientName/ProjectName/myfile.zip while knowing they cannot go down  
> a few folders and look at other client releases.
>
> I have tried adding Options -Indexes to the Location tag in the  
> httpd.conf file but this does nothing. What am I missing? If I  
> could make it impossible to list any folders using the http://  
> version of the access that would be perfect. That way clients could  
> download files, but also view completed web applications in the  
> http:// domain but wouldn't be able to list anything.

Trying to solve this problem with Apache directives won't work  
because a user could still use the svn command line client to list  
the directory contents.



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org