[Mongrel] SVN security hole explained

John Butler imtall at gmail.com
Fri Aug 25 12:22:32 EDT 2006

> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
> My article refers to Dan Benjamin's
> http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
> Go and read the posts, well worth the time:
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel

Thanks for pointing that one out! If you do use Pound and don't want
to change your deploy method, just add this to your pound.cfg after

  URL "\\.svn"

That will give a 503 to anyone trying to access it. This assumes pound
is running in front. Note this will block anything with ".svn" in the


More information about the Mongrel-users mailing list