Ignoring .svn directories under IIS

We are a web development organization and have recently moved to using subversion for our version control system. Since executing an update is so much faster than doing an export and copying over the files, the developers want to be able to have the production server be a working copy.

The only concern I have with this is all of the .svn files littered across the system, and the fact that some enterprisey individual could, potentially, read the contents of the files in there, possibly giving them information we would rather they did not have.

What is the best/easiest way to prevent IIS from serving up any content from within those .svn directories?


Solution 1:

"Don't do it that way" does not answer the question.

Practically, I like having a working copy on the production server, because that way I can make quick changes in production (who has never done that?) and check them back in. It depends on where you want your security/convenience slider, and in many cases this is a good place.

The standard solution in Apacheland is to leave the .svn files there but tell the web server to never serve them. Here's how to do that with IIS 5-7 on Windows 2000-2008.

  1. Download and install ISAPI_Rewrite -- the Lite version will be enough for this purpose. Note extra system requirements for Win 2008. Warning-- the MSI installer stops and starts IIS.

  2. Uncheck the "read only" box on the httpd.ini file's properties. If you used the MSI installer, therer's a shortcut to the httpd.ini file in the Start menu under Helicon->ISAPI_Rewrite

  3. Add these lines to httpd.ini:

ISAPI_Rewrite directives in httpd.ini:

# Deny access to Subversion working copy administrative
#  directories (.svn) and their contents
RewriteRule .*/\.svn\b.* . [F,I,O]

Now, any request for a .svn directory or its contents will result in a 404 Not Found from the server.

Solution 2:

You could make sure that any user accounts used by IIS do not have rights to access the .svn directories.

You can either do this manually (not recommended) or use something like MrJangles delete script either triggered to run after you do the SVN update or run regularly as a scheduled task:

for /r YOURPATH %f in (.svn) do icacls /deny <name_of_iis_user>:F "%f"

(note: I've not tested the above, you'll need to check it does what it is trying to before relying on it in production, see the output of "icacls /help" for more info)

(another note: "icacls" is a Vista/2008 command, on earlier Windows variants the command is "cacls" instead)

Solution 3:

Using IIS 7, open IIS Manager, select the server node, double click the Handler Mappings feature. Click the action Add Managed Handler and configure the handler as follows:

  • Request path: *.svn/* (wildcard mapping for all files in all .svn folders)
  • Type: System.Web.HttpForbiddenHandler
  • Name: Subversion-metadata (you can choose a different name if you like)

Now any request for files in the Subversion metadata folders named .svn in alle sites should return this:

Server Error in '/' Application.

This type of page is not served.

Description: The type of page you have requested is not served because it has been explicitly forbidden. Please review the URL below and make sure that it is spelled correctly.

Requested URL: /.svn/text-base/Default.aspx.svn-base

You can choose a different handler type if you want, maybe a FileNotFound handler which will return a 404 status code.

For IIS 6 (with ASP.NET 2 installed and configured):

Navigate to Home directory > Configuration > Mapping and map the .svn-base extension to %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll. Then in machine.config (which you can find in %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\CONFIG) you can add the same handler as above for the extension, add the following XML-element as a child of the <httpHandlers>-element:

<add verb="*" path="*.svn-base" type="System.Web.HttpForbiddenHandler"/>

This will only prevent visitors from requesting the source code files, they could still request other files from the .svn folders. Map more extensions to aspnet_isapi.dll or make a wildcard mapping (will impact performance) and you could block more files from being requested.