[Mongrel] SVN security hole explained

Zed Shaw zedshaw at zedshaw.com
Fri Aug 25 19:07:49 EDT 2006


On Fri, 2006-08-25 at 11:26 -0400, Francois Beausoleil wrote:
> Hi all,
> 
> If you are using Pound / Pen or another load balancer, I believe you
> should read this:
> 
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel
> 
> My article refers to Dan Benjamin's
> http://hivelogic.com/articles/2006/04/30/preventing_svn_exposure
> 
> My point is that even though we are preventing Apache from serving
> anything except a select few file extensions, Mongrel is serving up
> the files behind the scenes.
> 
> So, http://myrailsapp.com/.svn/entries exposes Subversion metadata.
> 
> Go and read the posts, well worth the time:
> http://blog.teksol.info/articles/2006/08/25/subversion-metadata-exposure-on-mongrel

Good points all around, but that's not really a Mongrel security hole,
that's an svn security hole.  The fact that it puts tons of crap into
your directories along with all the files it's managing is always a bad
idea.  It's also the reason I use svk and don't like putting svn online.

But, now with everyone using Capistrano I can see this as a pretty big
problem.  I wonder if you could just modify the cap tasks to simply
delete all the .svn directories after the app is deployed?

find . -name ".svn" -exec rm -rf {} \;

And then problem is permanently solved.  I believe this would work with
capistrano since it makes whole new checked out directories with svn and
doesn't use it after that.

Anyway, good write-up, I'll add that to the Pound documentation for
Mongrel.


-- 
Zed A. Shaw
http://www.zedshaw.com/
http://mongrel.rubyforge.org/
http://www.lingr.com/room/3yXhqKbfPy8 -- Come get help.



More information about the Mongrel-users mailing list