Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prevent access to .git/ directory #205

Merged
merged 1 commit into from Oct 13, 2019

Conversation

@clcain
Copy link
Contributor

clcain commented Oct 11, 2019

I installed phpVirtualBox from source and noticed that the .git/ directory was available publicly via HTTP. As this could be a security vulnerability, I figured it would be good to make sure to blacklist everything in .git/.

@trasherdk

This comment has been minimized.

Copy link

trasherdk commented Oct 11, 2019

One could argue that you should not run phpVirtualBox out of your dev environment.

And, how could the contents of .git become an vulnerability?
Does that directory contain anything not available on github?

@clcain

This comment has been minimized.

Copy link
Contributor Author

clcain commented Oct 11, 2019

Just trying to prevent unexpected behavior. I would hope nothing private is in the git history, but I can imagine someone not being aware that their commits are being hosted along with the application.

@trasherdk

This comment has been minimized.

Copy link

trasherdk commented Oct 11, 2019

I would be more concerned about the login being exposed to random drive-by hacking attempts.
Your installation should be protected by more than a simple login.

@h6w

This comment has been minimized.

Copy link
Collaborator

h6w commented Oct 13, 2019

@trasherdk 's point is valid. A good sysadmin should protect it in multiple ways (My deployments aren't even accessible publicly but only via VPN/SSH/Virtual/Host/Local Network with 2FA.) However, @clcain 's point is that it's a possibility, and this is a simple fix, I'm going to allow it. Thanks for the suggestion!

@h6w h6w merged commit 3c981d4 into phpvirtualbox:develop Oct 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.