On Mon, Jan 11, 2010 at 06:05, Ivan Zahariev <rrdt...@famzah.net> wrote: > Hello guys, > > Many developers checkout the working tree directly into the web server's > public folder, and this imposes a security risk. Anyone can then point > the URL of their browser within the ".svn/text-base" directory, for > example, and access sensitive data such as previous versions of a file, > or even the source code of it, because of the ".svn-base" suffix in the > filename. This is described in more details at > "http://scottbarnham.com/blog/2008/04/22/serving-websites-from-svn-checkout-considered-harmful/";. > I know that "svn export" exists and this is the way to checkout the tree > properly and safely, but this is an extra step which developers have to > do, and you know that extra steps are usually skipped, if they could be > skipped. > > Nevertheless, I see no valid reason for the administrative ".svn" > directories to be world-wide accessible; correct me if I'm wrong. That's > why I propose that SVN creates these ".svn" directories with file > permissions which disallow "others" to enter these directories. Here is > the proposed patch against the source code of Subversion 1.6.6:
Why not just configure your webserver to return a 404 error on requests for directories named .svn? http://www.google.com/search?q=svn+directory+404