Wayne Graham's Blog - Subversion

Subversion with mod_security

Tue, 06 Mar 2007 16:35:00 -0500

I ran into a bit of an issue while setting up a new subversion server today. On that box we're running mod_security on all vhosts to add another layer of security to our web apps. I got everything configured with the the security, but when I was testing, I kept getting 403 errors when I attempted to get the files in anything other than a web browser. After scratching my head for a while, I looked at the Apache logs, and noticed that mod_rewrite was causing the issue with lines like this:


[Tue Mar 06 13:46:46 2007] [error] [client xxx.xxx.xxx.xxx] mod_security: Access denied with code 403. Pattern match "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)" at HEADER("Content-Type") [severity "EMERGENCY"] [hostname "svn.example.com"] [uri "/test"]

I stumbled on Charl van Niekerk's entry on this. One of the comments suggested that the following is the bare minimum to run mod_security on a vhost running subversion:


SecFilterSelective REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
SecFilterSelective REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
SecFilterSelective REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
SecFilterSelective REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow

This should be in the first directives in your mod_security call:




    # Enable ModSecurity
    SecFilterEngine On

    # Allow SVN requests
	SecFilterSelective REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
	SecFilterSelective REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
	SecFilterSelective REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
	SecFilterSelective REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow

	...
	# rest of your directives

If you run a Subversion repository and have run into this issue, these security filters should help!

Cygwin to the Rescue!

Wed, 14 Dec 2005 15:53:00 -0500

I had a local SVN repository that had a lot of large images in it (scans of letters to- and from- Thomas Jefferson) that I needed to remove from the repository on my local machine but keep the files. Normally, this is an export issue, however, we're talking about 800 hundred images that are around 40MB a piece. Needless to say this was going to take more time than I was willing to dedicate to the task. This is where Cygwin came into play. I basically wanted to delete all of the .svn folders that Subversion creates when you add something to a repository. So, with a single line, I was able delete the folders for an operation that would have taken a few hours to complete with the export task. So, in case you ever find yourself needed a script like this, here you go (assuming you're in the directory you want to start deleting in):


find . -type d -name ?*.svn? -print0 | xargs -0 rm -rdf

This also works wonders for deleting .DS_Store files that tend to get onto your servers when you have Mac users (just be sure to change the -type flag to f).

One-Click Subversion Setup

Mon, 05 Dec 2005 11:09:00 -0500

I ran across a neat project this morning as I was rebuilding a server box to run Subversion called Svn1ClickSetup. Not only does it install the Windows binaries for SVN 1.2.3 and running SVN as a Windows Service, but also adds Tortoise SVN 1.2.5 from the single installer. The installer also walks you through creating a first repository with trunk, branches, and tags folders. If you have to set up Subversion to run on Windows, this is definately a time saver!