Hacker News new | past | comments | ask | show | jobs | submit login
Hacking the .SVN directory (adamgotterer.com)
23 points by agotterer on Jan 27, 2009 | hide | past | favorite | 11 comments



This is true for git, too. However, I don't know of any git command like "svn export" that doesn't also pull the .git directory. The working solution seems to be to simply delete the .git directory after a clone ---preferably in some nice deploy script --- in conjunction with appropriate *nix file and Apache permissions.


The .git directory, however, is top-level, rather than in every directory in your repository, so it'll only be a problem if your site root is the same as your repository root.


If the server is ever exploited then they have all your revision history (including anything accidentally checked in that you didn't rebase(?) out) but you do have the added advantage of being able to quickly check for any modifications to any of your code. My repo's follow a /public /logs/ /app so with git (over svn) none of the repo is exposed.


The apache server at my office is set up to not serve files or directories starting with a .

We use svn export anyway, but wouldn't ignoring (.) directories be the most foolproof step?


Why are you pushing files with rsync with a working copy? That is what "export" is for. There is no special security in the .svn folder, because you are not supposed to publish it to the website.


To be perfectly honest I'm not sure if its an rsync or a checkout. I'm not the sys admin or the person who set up the process. But doing an export makes sense, that was something I was thinking about after I discovered this. Thanks for the confirmation.

Regardless, this problem exists and it exists on some extremely large websites.


You seem to have made a mistake with the rewrite rule. I think you mean:

  RewriteRule (\.svn)/(.*?) - [F,L]
Note the backslash before the .svn directory.

I'm also not entirely sure that the question mark (zero or one quantifier) is necessary; it seems like

  (.*)
would suffice for catching files within the .svn directory, but this is quickly getting out of my league.


Your right, I forget to transcribe the backslash (its correct in my htaccess). I will update the article. Thanks!


I mentioned this to our sys admin. He made a good point... Export will copy every file in the repository over, every time. Our repo is quite large and we push often. We use rsync so it only copies the most recent changes. They also go out to a number of servers.


rsync is fine, just make sure to exclude .svn and anything else you don't want the world to see, for example:

  cd $build_dir
  svn co path/to/project
  rsync -qaz -c --delete --exclude=.svn project $host:/var/www


+1




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: