[Mongrel] SVN security hole explained
ezmobius at gmail.com
Fri Aug 25 11:57:08 EDT 2006
On Aug 25, 2006, at 8:26 AM, Francois Beausoleil wrote:
> Hi all,
> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
> My article refers to Dan Benjamin's
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
> Go and read the posts, well worth the time:
> Bye !
> François Beausoleil
Yup this is a problem with capistrano's default deploy.rb file. It
uses svn co so all the .svn meta data is there by default. I
personally always set set :checkout, "export" in my deploy.rb files
so this cannot happen just like you mention on your blog. I feel its
worth the trade off of not being able to hot patch your current
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Mongrel-users