安全性:通过 mod_rewrite 拒绝访问 .hg/*
我的网站是一个包含多个子存储库的水银存储库。我需要确保拒绝访问服务器上每个 .hg 目录中的所有文件。
例如,我有 http://example.com/.hg/ 和 http://example.com/subrepo1/.hg/
我添加了以下内容到 .htaccess:
<Files ~ "^\.(hg|ht)">
Order allow,deny
Deny from all
</Files>
这是一个好的开始,因为它拒绝访问以 .hg 和 .ht 开头的文件,但它不会拒绝访问 .hg 和 .ht 中的文件code>.hg 目录,因此如果有人输入,例如 http://example.com/.hg/branch,分支文件将显示在他们的浏览器中。
我需要做什么才能确保这些文件不会显示给用户?如果有人尝试访问我服务器上任何 .hg 目录中的文件,我想将 403 或 404 发送回浏览器。
这个问题也与网站是 subversion / svn 存储库的任何人相关。
My website is a mercurial repository with multiple subrepositories. I need to make sure I'm denying access to all files in every .hg directory on the server.
For example, I have http://example.com/.hg/ and http://example.com/subrepo1/.hg/
I've added the following to .htaccess:
<Files ~ "^\.(hg|ht)">
Order allow,deny
Deny from all
</Files>
This is a good start, as it denies access to files beginning with .hg and .ht, but it doesn't deny access to the files inside .hg directories, so if someone types, for instance http://example.com/.hg/branch, the branch file will be displayed in their browser.
What do I need to do in order to make sure these files are not displayed to the user? I'd like to send either a 403 or a 404 back to the browser if someone tries to access a file inside any .hg directory on my server.
This question is also relevant for anyone whose website is a subversion / svn repository.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您没有使用
mod_rewrite,那么您可以这样做:(完全披露:针对Mercurial的答案改编自这个问题关于对 Subversion 做同样的事情)。
If you don't have to use
mod_rewrite, then you can just do this:(Full disclosure: answer adapted for Mercurial from this question about doing the same thing for Subversion).
您始终可以将 .htaccess 文件放入这些文件夹中并拒绝该文件夹内的所有访问。
我假设您想要一个解决方案,您不必将 .htaccess 文件放在每个文件夹和子文件夹中?
尝试以下操作(假设您可以通过 ssh 访问网络服务器):
内容:
执行以下命令:
<代码>查找 . -type d -name .hg -exec cp ./.htaccess {} \;
然后再次从文档根目录中删除 .htaccess 文件
You always have the possibility to place .htaccess files in these folders and deny all access within the Folder.
I'm assuming you want a solution, where you don't have to put the .htaccess files in every folder and subfolder?
Try the following (assuming you have ssh access to the webserver):
Content:
Execute the following command:
find . -type d -name .hg -exec cp ./.htaccess {} \;Afterwards delete the .htaccess file from your document root again
如果您只是将存储库完全保留在 DocumentRoot 之外,那么这个问题就不那么重要了。您可能正在使用 hgweb 或 hgwebdir,它们不需要文件位于 DocumentRoot 内,所以不要这样做。将它们放在 /home/hg/repos 或其他目录中,然后配置 hgwebdir.conf 来查找那里。
将存储库放在 DocumentRoot 中的唯一原因是为 Mercurial 启用静态 http URL 形式,但它非常慢,并且在可能的情况下始终首选 hgweb。
This is much less of a concern if you just keep the repositories outside of your DocumentRoot altogether. You're probably using hgweb or hgwebdir, which don't require the files be inside the DocumentRoot, so don't do it. Put them in /home/hg/repos or something and configure your hgwebdir.conf to look there.
The only reason to have the repos inside the DocumentRoot would be enable the static-http URL form for mercurial, but it's very slow and hgweb is always preferred when it's possible.