Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Forbid browsing of .git directory #4502

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security: Forbid browsing of .git directory #4502

wants to merge 1 commit into from

Conversation

jkbzh
Copy link

@jkbzh jkbzh commented Oct 28, 2024

Hi, although we don't manage your site, w3.org got a report related to your site for a potential security issue. Here's the fix for it.

Hi team

Description
.git repository exposed at https://w3id.org/.git/

Step

  1. In your terminal type wget -mirror -I .git https://w3id.org/.git/
  2. go to the downloaded file directory
  3. git status
  4. Deleted files will appear
  5. git restore (any file)
  6. check git log also

Impact
Attacker can restore deleted files and any of file consist of db user and
db password

Best regards
Manjot Singh

@davidlehn
Copy link
Collaborator

  • Thanks. I don't think it was any security issue, since all the git data is available here on github anyway. But it's cleaner to not allow that.
  • I put a block in the server config for now. When we eventually get Move hosted files and rules to ids/ directory. #3264 done, the .git dir would be outside of the web root dir making this patch not needed.
  • Leaving this open for a bit. But probably will close unless someone thinks block should be in the root .htaccess too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jkbzh @davidlehn