[ic] Risks of websites served from Subversion or CVS checkouts
Jon Jensen
jon at endpoint.com
Wed Aug 20 15:05:54 UTC 2008
On Wed, 20 Aug 2008, Stefan Hornburg wrote:
>>>>> If you use Subversion or CVS on any project, I recommend you look into how
>>>>> your files are being served and see if there's anything being exposed.
>>
>> We could easily set $relpat = qr/(\.\.|\.svn|CVS)/ in Vend::File
>> to ignore CVS/Subversion directories.
>
> Or, make this configurable.
Certainly, that would be useful in general.
Though I hope you all didn't miss my note that Interchange as configured
by default is *not* vulnerable to this anyway, as it will only server
files ending in .html, and in my checks none of the CVS or Subversion
metadata matches that criterion. So it may be a solution without a real
problem. :)
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the interchange-users
mailing list