Blocking old versions of Subversion using WebDAV

I recently needed to block older clients from our corporate Subversion repository. It turns out merge history (which was introduced in SVN 1.5) isn’t stored property in older clients and can really be reliably counted upon from 1.6.6 and up. We had a requirement to mark 1.6 clients (earlier than 1.6.6) read-only, and deny earlier clients (1.5.x and earlier) all together.

It’s relatively easy to do in the apache.conf file.
This goes somewhere in the global directive space:

# Check to see if we're subversion, and if we are grab the version
SetEnvIf User-Agent SVN\/([0-9\.]+) svnVersion=$1

# Completely block old clients
SetEnvIf svnVersion ^1\.[0-5]\..+ svnDeny

# Deny write access to pre-1.6.6 clients
SetEnvIf svnVersion ^1\.6.[1-5]$ svnLock

Drop this in your Location directive:

# Some deny rules
Order Allow,Deny
Allow from all
Deny from env=svnDeny

Done!

1 comment to Blocking old versions of Subversion using WebDAV

  • Marcin Puchala

    Hi there,

    Great help, I have been looking for this kind of snippet for ages.
    We have got svnserver 1.5.5 served via Apache with WebDAV auth. The WebDAV directives are nested within
    However, we are upgrading to 1.6.x and I’ve been trying to enable Active Directory authentication supported with LDAP thru the CollabNet Edge System. The auth works fine and end users get prompted via IE/Firefox, snv client 1.5 & 1.6 and Eclipse Subversive. I am really struggling to block any svn clients < 1.6.x. Note: our repos are different disk partition.

    Now, when I try to use the following code in httpd.conf, I am prompted for password regardless of the client. I'd like to block the clients 1.5.5 though. Any help will be much appreciated.

    AuthLDAPUrl “ldap://example.com/DC=FINEOS,DC=com?sAMAccountName,memberOf?sub?(&(sAMAccountName=*)(memberOf=CN=PRD_SVN_ALLOWED,OU=SECURITY_GROUPS,DC=FINEOS,DC=com)(objectCategory=user))” “NONE”

    AuthLDAPBindDN “CN=srv_svnauth,OU=SERVICE_ACCOUNTS,DC=FINEOS,DC=com”
    AuthLDAPBindPassword “************”

    # Check to see if we’re subversion, and if we are grab the version
    SetEnvIf User-Agent SVN\/([0-9\.]+) svnVersion=$1

    # Completely block old clients
    SetEnvIf svnVersion ^1\.[0-5]\..+ svnDeny

    # Deny write access to pre-1.6.6 clients
    SetEnvIf svnVersion ^1\.6.[1-5]$ svnLock

    AliasMatch ^(/svn)$ “e:/svnrepos”

    Order deny,allow
    Allow from all
    Deny from env=svnDeny

    AuthBasicProvider ldap-users

    AuthType Basic
    AuthName LDAP_Protected_Place
    AuthzLDAPAuthoritative off
    Require valid-user

    Cheers
    Marcin

Leave a Reply