

Hacking the .SVN directory - agotterer
http://www.adamgotterer.com/2009/01/26/hacking-the-svn-directory/

======
motoko
This is true for git, too. However, I don't know of any git command like "svn
export" that doesn't also pull the .git directory. The working solution seems
to be to simply delete the .git directory after a clone ---preferably in some
nice deploy script --- in conjunction with appropriate *nix file and Apache
permissions.

~~~
ionfish
The .git directory, however, is top-level, rather than in every directory in
your repository, so it'll only be a problem if your site root is the same as
your repository root.

~~~
reconbot
If the server is ever exploited then they have all your revision history
(including anything accidentally checked in that you didn't rebase(?) out) but
you do have the added advantage of being able to quickly check for any
modifications to any of your code. My repo's follow a /public /logs/ /app so
with git (over svn) none of the repo is exposed.

------
Tritis
The apache server at my office is set up to not serve files or directories
starting with a .

We use svn export anyway, but wouldn't ignoring (.) directories be the most
foolproof step?

------
miratom
Why are you pushing files with rsync with a working copy? That is what
"export" is for. There is no special security in the .svn folder, because you
are not supposed to publish it to the website.

~~~
agotterer
To be perfectly honest I'm not sure if its an rsync or a checkout. I'm not the
sys admin or the person who set up the process. But doing an export makes
sense, that was something I was thinking about after I discovered this. Thanks
for the confirmation.

Regardless, this problem exists and it exists on some extremely large
websites.

~~~
joeyo
You seem to have made a mistake with the rewrite rule. I think you mean:

    
    
      RewriteRule (\.svn)/(.*?) - [F,L]
    

Note the backslash before the .svn directory.

I'm also not entirely sure that the question mark (zero or one quantifier) is
necessary; it seems like

    
    
      (.*)
    

would suffice for catching files within the .svn directory, but this is
quickly getting out of my league.

~~~
agotterer
Your right, I forget to transcribe the backslash (its correct in my htaccess).
I will update the article. Thanks!

