[ic] Risks of websites served from Subversion or CVS checkouts

Jon Jensen jon at endpoint.com
Wed Aug 20 00:19:17 UTC 2008

Interchange users,

At the talk "Rails Security" by Jonathan Weiss at LinuxTag 2008, he 
mentioned (among other things) a possible security problem for sites being 
run out of a Subversion (or CVS) working copy, where the metadata inside 
the .svn/ or CVS/ directories may be exposed to the world.

This post by someone else explains it nicely:


Interchange appears not to be vulnerable to this by default as it will 
only serve files that end in .html, and all the .svn/ and CVS/ filenames 
have no suffix, or end with .svn-base, so are not served by Interchange.

But if the docroot is served from a Subversion or CVS checkout, its 
metadata files are likely served to the world -- relatively harmless, but 
can reveal internal file paths, hostnames, and OS account names.

For PHP or SSI, on the other hand, this could be a disaster, as the 
complete source to all files could be revealed, since the .svn-base suffix 
will cause Apache not to parse the code as PHP but pass through the 

If you use Subversion or CVS on any project, I recommend you look into how 
your files are being served and see if there's anything being exposed. 
Checkouts from Git, Mercurial, or Bazaar are not likely to be a problem, 
since they only have metadata directories (.git, .hg, .bzr) and associated 
files at the root of the checkout, which would often be outside the 


Jon Jensen
End Point Corporation

More information about the interchange-users mailing list