[Mongrel] SVN security hole explained
imtall at gmail.com
Fri Aug 25 12:22:32 EDT 2006
> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
> My article refers to Dan Benjamin's
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
> Go and read the posts, well worth the time:
Thanks for pointing that one out! If you do use Pound and don't want
to change your deploy method, just add this to your pound.cfg after
That will give a 503 to anyone trying to access it. This assumes pound
is running in front. Note this will block anything with ".svn" in the
More information about the Mongrel-users