While fiddling around with a custom look for the web interface for svn over http/Apache2 i encountered some simple enough configuration instructions:
The svn-book states:
Chapter Repository Browsing subsection:
Listing repositories
If you’re serving a collection of repositories from a single URL via the SVNParentPath directive, then it’s also possible to have
Apache display all available repositories to a web browser. Just activate the SVNListParentPath directive:
<Location /svn>
DAV svn
SVNParentPath /var/svn
SVNListParentPath on
...
</Location>
If a user now points her web browser to the URL http://host.example.com/svn/, she’ll see a list of all Subversion re-
positories sitting in /var/svn. Obviously, this can be a security problem, so this feature is turned off by default.
What is the Obvious security problem I am missing?
It’s not exactly a critical security issue – more like a privacy issue.
It’s referring to the fact that repositories can be private, and that listing them by path would publicise their existence. Think of it like directory listings in Apache – when enabled, if there’s no index file, you’ll get a list of files in that directory. This is a security problem because people might find innards of your system that you didn’t want them to see.