Subversion: .htaccess gives 403 forbidden?

I’m trying to import a brand new top secret project into my Subversion Repository.

Okay, I’ve had my share of troubles with that set-up — it is behind an Apache Reverse Proxy, with a bit of perl hacking to support move operations accross SSL tunnels. (I’ll post about this soon, I’m sure it will interest someone).

So, I was trying to import my new project and BANG, it dies.

Ajout          public/javascripts/application.js
Ajout          public/javascripts/controls.js
Ajout          public/404.html
Ajout          public/index.html
Ajout          public/.htaccess
svn: PUT of '/svn/repos/!svn/xx/.htaccess': 
302 Found (https://www.underwares.org)
svn: Le message de propagation a été laissé dans un fichier temporaire :
svn:    'svn-commit.4.tmp'

I first wonder the meaning of such foolery (foolery that has nothing to do with Tom, whatsoever) and then slap my forehead loudly.

I use shitty redirects for HTTP errors to display lovely custom error messages. SVN probably dislikes the redirect and displays it as the problem, hence, 302 found.

I comment that stuff out of httpd.conf, restart apache, and bam. There is the real error.

svn: PUT of '/svn/repos/!svn/wrk/xx/.htaccess': 
403 Forbidden (https://www.underwares.org)

Well, shit. It seems to be explicitely rejecting files named “.htaccess”. I thought it might have been mod_security being too anal once again, but that would have returned a 406 (content unacceptable). I still disable mod_security, to no avail.

I run a simple test to confirm. I create a folder with four files:

  • .htaccess
  • .htpasswd
  • .htpouet
  • .pouet

So, we’ll see what happen. I try to import them into svn. I first start with “.pouet”, for kicks.

$ svn import . https://www.underwares.org/svn/repos/private/test
Ajout          .pouet

Révision 275 propagée.

Well, that worked. So it’s not the dot. Next, “.htaccess”.

 phobos$ svn import . https://www.underwares.org/svn/repos/private/test
svn: PROPFIND request failed on '/svn/repos/private/test/.htaccess'
svn: PROPFIND of '/svn/repos/private/test/.htaccess': 
403 Forbidden (https://www.underwares.org)
svn: Le message de propagation a été laissé dans un fichier temporaire :
svn:    'svn-commit.2.tmp'
phobos$

Well, that failed. “.htpasswd” fails as well, and to much of my surprise, “.htpouet” fails as well.

Then it hit me. The following regular expression flashed through my mind: ^.ht Damn it! The default httpd.conf has a directive that denies access to such files on a global level. A quick look at the file confirms:

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

So here we go. I comment out that obnoxious directive, and move it inside the “Directory” directive of my vhost. I also add it to every single vhost on my server.

Some clever people are probably thinking, why didn’t you do something like this?

<Location /svn>
  <Files ~ "^\.ht">
        Order allow,deny
        Allow from all
        Satisfy All
  </Files>
</Location>

Well, you can’t have a Files directive nested inside a Location directive. You can, however, have one inside a Directory directive. So, now users can’t access .ht files through the web, which is good, and SVN can, which is good as well.

All of this was probably related to my sinister Reverse Proxy buisness. Don’t attempt such a set-up unless you like pain, kids.

You might also enjoy:

About Alexandre Gauthier

A freelance network guy, sometimes programmer and overall tinkerer. Said to be a decent writer, in both english and en français. Wears fancy pants with torn t-shirts on sundays. Enjoys writing long, vitriolic diatribes and short stories. Lives inside a unix shell, favorite text editor is vim.
This entry was posted in Computers, English, Version Control Systems, Web Servers and tagged , , , . Bookmark the permalink.

2 Responses to Subversion: .htaccess gives 403 forbidden?

  1. Derek says:

    You rock bro, your post set off a lightbulb over my head helping me fix a 5-month long issue with svn that I had just about given up on …

  2. Wesley S says:

    If you’re on a shared hosting server and can’t update the central httpd.conf file, but still want to upload a “.htaccess” file via subversion over WebDAV (as this article is about), you may still be able to do it!

    Say your repository is located at
    http://www.domain.com/folder/to/svn/repository/xyz

    And your domain.com files are loaded out of
    /home/YourUserName/domain.com/

    Then just shell (or S/FTP, your choice) into your server and make the full path like so:
    /home/YourUserName/domain.com/folder/to/svn/repository/xyz/

    Finally, just upload a .htaccess file containing:

    <Files ~ "^\.ht">
        Order allow,deny
        Allow from all
        Satisfy All
    </Files>
    

Leave a Reply

Your email address will not be published. Required fields are marked *

*


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">