Category Archives: General

Subversion and Mod_Security Issues

Facebooktwittergoogle_plusredditpinterestlinkedinmail

 

I set on to install subversion with Apache on Fedora 11 and after all the steps were completed I was not able to import a project in to the repository due to this error:

[omerio@future TestProject]$ svn import -m “Initial Import” /tmp/TestProject http://salam/repos/TestProject
Authentication realm: <http://salam:80> Authorization Realm
Password for ‘omerio’:
svn: applying log message to /repos/!svn/wbl/c0e1dee1-2e96-432e-a904-054d922233d8/0: 501 Method Not Implemented (http://salam)

I checked my svn setup and everything was fine, even a Google search didn’t help. Luckily I remembered that I have mod_security with Apache, a quick check revealed  that mod_security was blocking subversion’s http requests as seen from the mod_security logs

[Sat Sep 26 13:13:59 2009] [error] [client 192.168.1.5] ModSecurity: Access denied with code 501 (phase 2). Match of “rx (?:^(?:application\\\\/x-www-form-urlencoded(?:;(?:\\\\s?charset\\\\s?=\\\\s?[\\\\w\\\\d\\\\-]{1,18})?)??$|multipart/form-data;)|text/xml)” against “REQUEST_HEADERS:Content-Type” required. [file “/etc/httpd/modsecurity.d/modsecurity_crs_30_http_policy.conf”] [line “69”] [id “960010”] [msg “Request content type is not allowed by policy”] [severity “WARNING”] [tag “POLICY/ENCODING_NOT_ALLOWED”] [hostname “salam”] [uri “/repos/!svn/wbl/909077f2-7e84-4b7d-8e8a-8cbc35fc1ef0/0”] [unique_id “Sr4Fh38AAAEAABSMGt4AAAAA”]

I checked Google and found this page which was very useful, so I added a number of mod_security exceptions to the subversion.conf Apache configuration file, Although I had to commit a few projects to get a list of the violated mod_security rules. I think if I get any further mod_security issues with svn I will disable the security engine for svn:

  
<Location /repos>
   DAV svn
   SVNPath /var/opt/apps/svn/repos
   AuthType Basic
   AuthName "Authorization Realm"
   AuthUserFile /var/opt/apps/passwd/passwords
   Require valid-user
   <IfModule mod_security2.c>
        SecRuleRemoveByID 960032
        SecRuleRemoveByID 960015
        SecRuleRemoveByID 960904
        SecRuleRemoveByID 960010
        SecRuleRemoveByID 960035
        SecRule REQUEST_METHOD "^(PROPFIND|PROPPATCH)$" allow
        SecRule REQUEST_METHOD "^(REPORT|OPTIONS)$" allow
        SecRule REQUEST_METHOD "^(MKACTIVITY|CHECKOUT)$" allow
        SecRule REQUEST_METHOD "^(PUT|DELETE|MERGE)$" allow
        SecRule REQUEST_METHOD "^(MKCOL)$" allow
    </IfModule>
</Location>