Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: Forbid browsing of .git directory #4502

Closed
wants to merge 1 commit into from

Conversation

jkbzh
Copy link

@jkbzh jkbzh commented Oct 28, 2024

Hi, although we don't manage your site, w3.org got a report related to your site for a potential security issue. Here's the fix for it.

Hi team

Description
.git repository exposed at https://w3id.org/.git/

Step

  1. In your terminal type wget -mirror -I .git https://w3id.org/.git/
  2. go to the downloaded file directory
  3. git status
  4. Deleted files will appear
  5. git restore (any file)
  6. check git log also

Impact
Attacker can restore deleted files and any of file consist of db user and
db password

Best regards
Manjot Singh

@davidlehn
Copy link
Collaborator

  • Thanks. I don't think it was any security issue, since all the git data is available here on github anyway. But it's cleaner to not allow that.
  • I put a block in the server config for now. When we eventually get Move hosted files and rules to ids/ directory. #3264 done, the .git dir would be outside of the web root dir making this patch not needed.
  • Leaving this open for a bit. But probably will close unless someone thinks block should be in the root .htaccess too.

@jkbzh
Copy link
Author

jkbzh commented Nov 21, 2024

Hi Agreed it's not a security issue.

You could also just add that restriction directly in the server's configuration file. The vanilla apache on debian proposes such a rule in conf-available/security.conf. You just need to remove the comment. Maybe this would be a big compromise to keep you from modifying your .htaccess file.

You may close this MR when you want.

KUDOS

@davidlehn
Copy link
Collaborator

I did add the restriction to the site config when this was created. That security line is shorter though. Either way, it's blocked now. Closing.

@davidlehn davidlehn closed this Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants