[ic] Risks of websites served from Subversion or CVS checkouts
Rick Bragg
lists at gmnet.net
Wed Aug 20 14:11:53 UTC 2008
A great solution is to consider taking the extra step to sync up with
the production server with unison. I use unison on my system to sync
up my checked out subversion branch files to the Interchange live server
files. This just takes a quick click in Unison to sync up. Well worth
it!
Here is a sample config file that I use for unison. In the following
config example, I am syncing up my local checked out subversion system
for the website www.domain.com/ version 1.0 branch to the live
www.domain.com website. I am also ignoring interchange log files,
subversion crumb files etc...
My subversion checked out files are here:
/home/user/repository/branches/www.domain.com/version-1.0
My live interchange files are here:
ssh://user@interchange.server.com//home/user/www.domain.com
#########################################################################
edit file: .unison/www.domain.com_version-1.0.prf
root = /home/user/repository/branches/www.domain.com/version-1.0
root = ssh://user@interchange.server.com//home/user/www.domain.com
rshargs = -C
ignore = Name *.bfproject
ignore = Name *.bfproject~
ignore = Name dns_cache.db
ignore = Name */*~
ignore = Name */.*~
ignore = Name catalog/*.log
ignore = Name catalog/*.log.*
ignore = Name catalog/products/*.gdbm
ignore = Name catalog/products/.*.gdbm
ignore = Name catalog/products/*.autonumber
ignore = Name catalog/products/.*.autonumber
ignore = Name catalog/products/*.sql
ignore = Name catalog/products/.*.sql
ignore = Name catalog/etc/status.*
ignore = Name catalog/*.structure
ignore = Path catalog/tmp
ignore = Path catalog/backup
ignore = Path catalog/upload
ignore = Path catalog/images
ignore = Path catalog/logs
ignore = Path catalog/orders
ignore = Path catalog/session
ignore = Path html/interchange-5
ignore = Path html/reports
ignore = Path .svn
ignore = Path */.svn
ignore = Path */*/.svn
ignore = Path */*/*/.svn
ignore = Path */*/*/*/.svn
ignore = Path */*/*/*/*/.svn
ignore = Path */*/*/*/*/*/.svn
ignore = Path */*/*/*/*/*/*/.svn
ignore = Path */*/*/*/*/*/*/*/.svn
ignore = Path */*/*/*/*/*/*/*/*/.svn
ignore = Path */*/*/*/*/*/*/*/*/*/.svn
# ignore = Path html/*/images/items/image
# ignore = Path html/*/images/items/thumb
##################################################################
thanks
rick
On Tue, 2008-08-19 at 18:19 -0600, Jon Jensen wrote:
> Interchange users,
>
> At the talk "Rails Security" by Jonathan Weiss at LinuxTag 2008, he
> mentioned (among other things) a possible security problem for sites being
> run out of a Subversion (or CVS) working copy, where the metadata inside
> the .svn/ or CVS/ directories may be exposed to the world.
>
> This post by someone else explains it nicely:
>
> http://scottbarnham.com/blog/2008/04/22/serving-websites-from-svn-checkout-considered-harmful/
>
> Interchange appears not to be vulnerable to this by default as it will
> only serve files that end in .html, and all the .svn/ and CVS/ filenames
> have no suffix, or end with .svn-base, so are not served by Interchange.
>
> But if the docroot is served from a Subversion or CVS checkout, its
> metadata files are likely served to the world -- relatively harmless, but
> can reveal internal file paths, hostnames, and OS account names.
>
> For PHP or SSI, on the other hand, this could be a disaster, as the
> complete source to all files could be revealed, since the .svn-base suffix
> will cause Apache not to parse the code as PHP but pass through the
> source.
>
> If you use Subversion or CVS on any project, I recommend you look into how
> your files are being served and see if there's anything being exposed.
> Checkouts from Git, Mercurial, or Bazaar are not likely to be a problem,
> since they only have metadata directories (.git, .hg, .bzr) and associated
> files at the root of the checkout, which would often be outside the
> docroot.
>
> Jon
>
> --
> Jon Jensen
> End Point Corporation
> http://www.endpoint.com/
>
> _______________________________________________
> interchange-users mailing list
> interchange-users at icdevgroup.org
> http://www.icdevgroup.org/mailman/listinfo/interchange-users
>
--
This message has been scanned for viruses and
dangerous content by Green Mountain Network, and is
believed to be clean.
More information about the interchange-users
mailing list