Prevent access to .git/ directory#205
Conversation
|
One could argue that you should not run phpVirtualBox out of your dev environment. And, how could the contents of .git become an vulnerability? |
|
Just trying to prevent unexpected behavior. I would hope nothing private is in the git history, but I can imagine someone not being aware that their commits are being hosted along with the application. |
|
I would be more concerned about the login being exposed to random drive-by hacking attempts. |
|
@trasherdk 's point is valid. A good sysadmin should protect it in multiple ways (My deployments aren't even accessible publicly but only via VPN/SSH/Virtual/Host/Local Network with 2FA.) However, @clcain 's point is that it's a possibility, and this is a simple fix, I'm going to allow it. Thanks for the suggestion! |
I installed phpVirtualBox from source and noticed that the .git/ directory was available publicly via HTTP. As this could be a security vulnerability, I figured it would be good to make sure to blacklist everything in .git/.