[ic] Risks of websites served from Subversion or CVS checkouts

Rick Bragg lists at gmnet.net
Wed Aug 20 14:11:53 UTC 2008


A great solution is to consider taking the extra step to sync up with
the production server with unison.  I use unison on my system to sync
up my checked out subversion branch files to the Interchange live server
files.  This just takes a quick click in Unison to sync up.  Well worth
it!

Here is a sample config file that I use for unison.    In the following
config example, I am syncing up my local checked out subversion system
for the website www.domain.com/ version 1.0 branch to the live
www.domain.com website.  I am also ignoring interchange log files,
subversion crumb files etc... 

My subversion checked out files are here:
/home/user/repository/branches/www.domain.com/version-1.0

My live interchange files are here:
ssh://user@interchange.server.com//home/user/www.domain.com


#########################################################################
edit file: .unison/www.domain.com_version-1.0.prf

root = /home/user/repository/branches/www.domain.com/version-1.0
root = ssh://user@interchange.server.com//home/user/www.domain.com
rshargs = -C

    ignore = Name *.bfproject
    ignore = Name *.bfproject~
    ignore = Name dns_cache.db
    ignore = Name */*~
    ignore = Name */.*~
    ignore = Name catalog/*.log
    ignore = Name catalog/*.log.*
    ignore = Name catalog/products/*.gdbm
    ignore = Name catalog/products/.*.gdbm
    ignore = Name catalog/products/*.autonumber
    ignore = Name catalog/products/.*.autonumber
    ignore = Name catalog/products/*.sql
    ignore = Name catalog/products/.*.sql
    ignore = Name catalog/etc/status.*
    ignore = Name catalog/*.structure
    ignore = Path catalog/tmp
    ignore = Path catalog/backup
    ignore = Path catalog/upload
    ignore = Path catalog/images
    ignore = Path catalog/logs
    ignore = Path catalog/orders
    ignore = Path catalog/session
    ignore = Path html/interchange-5
    ignore = Path html/reports

    ignore = Path .svn
    ignore = Path */.svn
    ignore = Path */*/.svn
    ignore = Path */*/*/.svn
    ignore = Path */*/*/*/.svn
    ignore = Path */*/*/*/*/.svn
    ignore = Path */*/*/*/*/*/.svn
    ignore = Path */*/*/*/*/*/*/.svn
    ignore = Path */*/*/*/*/*/*/*/.svn
    ignore = Path */*/*/*/*/*/*/*/*/.svn
    ignore = Path */*/*/*/*/*/*/*/*/*/.svn

#    ignore = Path html/*/images/items/image
#    ignore = Path html/*/images/items/thumb

##################################################################

thanks
rick







On Tue, 2008-08-19 at 18:19 -0600, Jon Jensen wrote:
> Interchange users,
> 
> At the talk "Rails Security" by Jonathan Weiss at LinuxTag 2008, he 
> mentioned (among other things) a possible security problem for sites being 
> run out of a Subversion (or CVS) working copy, where the metadata inside 
> the .svn/ or CVS/ directories may be exposed to the world.
> 
> This post by someone else explains it nicely:
> 
> http://scottbarnham.com/blog/2008/04/22/serving-websites-from-svn-checkout-considered-harmful/
> 
> Interchange appears not to be vulnerable to this by default as it will 
> only serve files that end in .html, and all the .svn/ and CVS/ filenames 
> have no suffix, or end with .svn-base, so are not served by Interchange.
> 
> But if the docroot is served from a Subversion or CVS checkout, its 
> metadata files are likely served to the world -- relatively harmless, but 
> can reveal internal file paths, hostnames, and OS account names.
> 
> For PHP or SSI, on the other hand, this could be a disaster, as the 
> complete source to all files could be revealed, since the .svn-base suffix 
> will cause Apache not to parse the code as PHP but pass through the 
> source.
> 
> If you use Subversion or CVS on any project, I recommend you look into how 
> your files are being served and see if there's anything being exposed. 
> Checkouts from Git, Mercurial, or Bazaar are not likely to be a problem, 
> since they only have metadata directories (.git, .hg, .bzr) and associated 
> files at the root of the checkout, which would often be outside the 
> docroot.
> 
> Jon
> 
> --
> Jon Jensen
> End Point Corporation
> http://www.endpoint.com/
> 
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
> 


-- 
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.




More information about the interchange-users mailing list