From: Andrew Brown (atatatatatdot.net)
Date: Tue Apr 01 2003 - 16:33:35 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>A lot of people use CVS to manage their web content. It's a great way to
>keep track of changes, and makes updating and rollbacks a very easy
>thing to do.
>
>..BUT (there's always a but) this can be a _huge_ security risk.
>
>When I finally decided to manage my web content with CVS, I noticed
>something about the directory layout (after running a `cvs up`) of my
>website; there were a bunch of CVS directories with files in them. I
>always knew they were there when working with CVS (those files are the
>way CVS keeps track of versions and what not), but I never paid any mind
>to them.. until today.
>
>I opened up Mozilla and went to my website with a /CVS appended to the
>URL. Since I have Apache setup to disallow directory listings, I didn't
>get anything. Then I added /CVS/Entries to the URL. Two words came to
>mind: Uh-oh. The Entries file gave a complete listing of my webroot. It
>was like having ls(1) running on my webserver. The Entries file showed
>all the files and directories people normally wouldn't be able to see or
>even scan for. It would seem that having the directory listing option
>disabled in my httpd.conf didn't matter anymore.
>...

keep two trees.

tree 1 (let's call it /foo/cvs) is a copy of the cvs material with all
the cvs subdirs and meta-files in it.

tree 2 (let's call it /foo/www) is updated as follows whenever you cvs
update tree 1, or whatever you do to maintain it.

        % cd /foo/cvs
        % rsync -CHar --delete . /foo/www

--
|-----< "CODE WARRIOR" >-----|
codewarriordaemon.org * "ah! i see you have the internet
twofsonetgraffiti.com (Andrew Brown) that goes *ping*!"
werdnasquooshy.com * "information is power -- share the wealth."

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]