[Mongrel] SVN security hole explained

Ezra Zygmuntowicz ezmobius at gmail.com
Fri Aug 25 11:57:08 EDT 2006


On Aug 25, 2006, at 8:26 AM, Francois Beausoleil wrote:

> Hi all,
>
> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
>
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata- 
> exposure-on-mongrel
>
> My article refers to Dan Benjamin's
> http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure
>
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
>
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
>
> Go and read the posts, well worth the time:
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata- 
> exposure-on-mongrel
>
> Bye !
> -- 
> François Beausoleil
> http://blog.teksol.info/


	Yup this is a problem with capistrano's default deploy.rb file. It  
uses svn co so all the .svn meta data is there by default. I  
personally always set set :checkout, "export" in my deploy.rb files  
so this cannot happen just like you mention on your blog. I feel its  
worth the trade off of not being able to hot patch your current  
deployment.

-Ezra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://rubyforge.org/pipermail/mongrel-users/attachments/20060825/38691456/attachment.html 


More information about the Mongrel-users mailing list