[SECURITY] .git, .svn, and .hg

> I became aware of an exploit that pertains to using version control  
> and wanted to post an update to my version control webinar.
>
> If you are using version control you need to take care to secure  
> these directories from Apache, it's not enough to just have  
> directory access turned off, you need to explicitly disallow these  
> ( or all . ) depending on your setup but to protect version control  
> you should add the following to the site.conf file (or the whole  
> httpd.conf) in Apache:
>
>  # Disallow viewing of .svn and .git and .hg directory contents
>  <Directory ~ \.(svn|git|hg)>
>    Order allow,deny
>    Deny from all
>  </Directory>
>
> This resolved an issue I discovered where .git/config is viewable  
> revealing config information used to assign blame and format patches.
>
> This is crucial for .svn as subversion creates multiple .svn files  
> in every node of a repository.
>
> Brian Loomis
> http://www.virtualrelations.us
> (208) 639-2569 - 208 NEW BLOX
> -- email checked daily --
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> I became aware of an exploit that pertains to using version control  
> and wanted to post an update to my version control webinar.
>
> If you are using version control you need to take care to secure  
> these directories from Apache, it's not enough to just have  
> directory access turned off, you need to explicitly disallow these  
> ( or all . ) depending on your setup but to protect version control  
> you should add the following to the site.conf file (or the whole  
> httpd.conf) in Apache:
>
>  # Disallow viewing of .svn and .git and .hg directory contents
>  <Directory ~ \.(svn|git|hg)>
>    Order allow,deny
>    Deny from all
>  </Directory>
>
> This resolved an issue I discovered where .git/config is viewable  
> revealing config information used to assign blame and format patches.
>
> This is crucial for .svn as subversion creates multiple .svn files  
> in every node of a repository.
>
> Brian Loomis
> http://www.virtualrelations.us
> (208) 639-2569 - 208 NEW BLOX
> -- email checked daily --
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>

> Of course it would happen that my (and MySQL's) favorite version  
> control system would get left off the list :-)
>
> This applies for Bazaar as well (.bzr)
>
> Thanks Brian!
> -Brad
>
>
>
>
> On Oct 28, 2009, at 2:36 PM, Brian Loomis wrote:
>
>> I became aware of an exploit that pertains to using version control  
>> and wanted to post an update to my version control webinar.
>>
>> If you are using version control you need to take care to secure  
>> these directories from Apache, it's not enough to just have  
>> directory access turned off, you need to explicitly disallow these  
>> ( or all . ) depending on your setup but to protect version control  
>> you should add the following to the site.conf file (or the whole  
>> httpd.conf) in Apache:
>>
>> # Disallow viewing of .svn and .git and .hg directory contents
>> <Directory ~ \.(svn|git|hg)>
>>   Order allow,deny
>>   Deny from all
>> </Directory>
>>
>> This resolved an issue I discovered where .git/config is viewable  
>> revealing config information used to assign blame and format patches.
>>
>> This is crucial for .svn as subversion creates multiple .svn files  
>> in every node of a repository.
>>
>> Brian Loomis
>> http://www.virtualrelations.us
>> (208) 639-2569 - 208 NEW BLOX
>> -- email checked daily --
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> Adjusted
>
>  # Disallow viewing of .svn and .git and .hg and .bzr directory  
> contents
>  <Directory ~ \.(svn|git|hg|bzr)>
>    Order allow,deny
>    Deny from all
>  </Directory>
>
> On Oct 28, 2009, at 12:47 PM, Brad Lindsay wrote:
>
>> Of course it would happen that my (and MySQL's) favorite version  
>> control system would get left off the list :-)
>>
>> This applies for Bazaar as well (.bzr)
>>
>> Thanks Brian!
>> -Brad
>>
>>
>>
>>
>> On Oct 28, 2009, at 2:36 PM, Brian Loomis wrote:
>>
>>> I became aware of an exploit that pertains to using version  
>>> control and wanted to post an update to my version control webinar.
>>>
>>> If you are using version control you need to take care to secure  
>>> these directories from Apache, it's not enough to just have  
>>> directory access turned off, you need to explicitly disallow these  
>>> ( or all . ) depending on your setup but to protect version  
>>> control you should add the following to the site.conf file (or the  
>>> whole httpd.conf) in Apache:
>>>
>>> # Disallow viewing of .svn and .git and .hg directory contents
>>> <Directory ~ \.(svn|git|hg)>
>>>  Order allow,deny
>>>  Deny from all
>>> </Directory>
>>>
>>> This resolved an issue I discovered where .git/config is viewable  
>>> revealing config information used to assign blame and format  
>>> patches.
>>>
>>> This is crucial for .svn as subversion creates multiple .svn files  
>>> in every node of a repository.
>>>
>>> Brian Loomis
>>> http://www.virtualrelations.us
>>> (208) 639-2569 - 208 NEW BLOX
>>> -- email checked daily --
>>>
>>>
>>> --
>>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>>
>>>
>>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
> Brian Loomis
> http://www.virtualrelations.us
> (208) 639-2569 - 208 NEW BLOX
> -- email checked daily --
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>

> Brian,
> I just implemented this on one of my servers, but it's not working.  
> I can still access my .bzr folder and items therein.  I've tried  
> putting the Directory inside my virtual host directive as well as  
> having it outside.  Apache restarts just fine with no errors that I  
> can see, but access to those folders isn't blocked.  Any ideas?
>
> -Brad
>
>
> On Oct 28, 2009, at 2:50 PM, Brian Loomis wrote:
>
>> Adjusted
>>
>> # Disallow viewing of .svn and .git and .hg and .bzr directory  
>> contents
>> <Directory ~ \.(svn|git|hg|bzr)>
>>   Order allow,deny
>>   Deny from all
>> </Directory>
>>
>> On Oct 28, 2009, at 12:47 PM, Brad Lindsay wrote:
>>
>>> Of course it would happen that my (and MySQL's) favorite version  
>>> control system would get left off the list :-)
>>>
>>> This applies for Bazaar as well (.bzr)
>>>
>>> Thanks Brian!
>>> -Brad
>>>
>>>
>>>
>>>
>>> On Oct 28, 2009, at 2:36 PM, Brian Loomis wrote:
>>>
>>>> I became aware of an exploit that pertains to using version  
>>>> control and wanted to post an update to my version control webinar.
>>>>
>>>> If you are using version control you need to take care to secure  
>>>> these directories from Apache, it's not enough to just have  
>>>> directory access turned off, you need to explicitly disallow  
>>>> these ( or all . ) depending on your setup but to protect version  
>>>> control you should add the following to the site.conf file (or  
>>>> the whole httpd.conf) in Apache:
>>>>
>>>> # Disallow viewing of .svn and .git and .hg directory contents
>>>> <Directory ~ \.(svn|git|hg)>
>>>> Order allow,deny
>>>> Deny from all
>>>> </Directory>
>>>>
>>>> This resolved an issue I discovered where .git/config is viewable  
>>>> revealing config information used to assign blame and format  
>>>> patches.
>>>>
>>>> This is crucial for .svn as subversion creates multiple .svn  
>>>> files in every node of a repository.
>>>>
>>>> Brian Loomis
>>>> http://www.virtualrelations.us
>>>> (208) 639-2569 - 208 NEW BLOX
>>>> -- email checked daily --
>>>>
>>>>
>>>> --
>>>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>>>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>>>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>>
>>>
>>
>> Brian Loomis
>> http://www.virtualrelations.us
>> (208) 639-2569 - 208 NEW BLOX
>> -- email checked daily --
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>
>

> Brian,
> I just implemented this on one of my servers, but it's not working.  
> I can still access my .bzr folder and items therein.  I've tried  
> putting the Directory inside my virtual host directive as well as  
> having it outside.  Apache restarts just fine with no errors that I  
> can see, but access to those folders isn't blocked.  Any ideas?
>
> -Brad
>
>
> On Oct 28, 2009, at 2:50 PM, Brian Loomis wrote:
>
>> Adjusted
>>
>> # Disallow viewing of .svn and .git and .hg and .bzr directory  
>> contents
>> <Directory ~ \.(svn|git|hg|bzr)>
>>   Order allow,deny
>>   Deny from all
>> </Directory>
>>
>> On Oct 28, 2009, at 12:47 PM, Brad Lindsay wrote:
>>
>>> Of course it would happen that my (and MySQL's) favorite version  
>>> control system would get left off the list :-)
>>>
>>> This applies for Bazaar as well (.bzr)
>>>
>>> Thanks Brian!
>>> -Brad
>>>
>>>
>>>
>>>
>>> On Oct 28, 2009, at 2:36 PM, Brian Loomis wrote:
>>>
>>>> I became aware of an exploit that pertains to using version  
>>>> control and wanted to post an update to my version control webinar.
>>>>
>>>> If you are using version control you need to take care to secure  
>>>> these directories from Apache, it's not enough to just have  
>>>> directory access turned off, you need to explicitly disallow  
>>>> these ( or all . ) depending on your setup but to protect version  
>>>> control you should add the following to the site.conf file (or  
>>>> the whole httpd.conf) in Apache:
>>>>
>>>> # Disallow viewing of .svn and .git and .hg directory contents
>>>> <Directory ~ \.(svn|git|hg)>
>>>> Order allow,deny
>>>> Deny from all
>>>> </Directory>
>>>>
>>>> This resolved an issue I discovered where .git/config is viewable  
>>>> revealing config information used to assign blame and format  
>>>> patches.
>>>>
>>>> This is crucial for .svn as subversion creates multiple .svn  
>>>> files in every node of a repository.
>>>>
>>>> Brian Loomis
>>>> http://www.virtualrelations.us
>>>> (208) 639-2569 - 208 NEW BLOX
>>>> -- email checked daily --
>>>>
>>>>
>>>> --
>>>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>>>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>>>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>>
>>>
>>
>> Brian Loomis
>> http://www.virtualrelations.us
>> (208) 639-2569 - 208 NEW BLOX
>> -- email checked daily --
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

>Brian Loomis wrote on 10/28/2009 11:36 AM:
>>This resolved an issue I discovered where .git/config is viewable
>>revealing config information used to assign blame and format patches.
>>
>>This is crucial for .svn as subversion creates multiple .svn files in
>>every node of a repository.
>
>I use this to block any path where a component begins with
>underscore or a period(e.g. /.svn, /hello/_world/,
>/_secret.lasso, etc...):
>
># Block serving files and folders starting with underscore or period
>RewriteCond %{REQUEST_URI}  !^/.well-known/.*$
>RewriteRule (^|/)(_|\.).*$  - [L,NS,F]
>
>The first conditional excludes /.well-known/, which you can read about here:
>
>http://tools.ietf.org/html/draft-nottingham-site-meta

> On 10/28/09 at 11:06 PM, bil@... (Bil Corry) pronounced:
>
>> Brian Loomis wrote on 10/28/2009 11:36 AM:
>>> This resolved an issue I discovered where .git/config is viewable
>>> revealing config information used to assign blame and format patches.
>>>
>>> This is crucial for .svn as subversion creates multiple .svn files in
>>> every node of a repository.
>>
>> I use this to block any path where a component begins with underscore
>> or a period(e.g. /.svn, /hello/_world/, /_secret.lasso, etc...):
>>
>> # Block serving files and folders starting with underscore or period
>> RewriteCond %{REQUEST_URI}  !^/.well-known/.*$
>> RewriteRule (^|/)(_|\.).*$  - [L,NS,F]
>>
>> The first conditional excludes /.well-known/, which you can read about
>> here:
>>
>> http://tools.ietf.org/html/draft-nottingham-site-meta
>
> What is the relevance to /.well-known/ in this context?  Is it just a
> way to match everything, but avoid whatever has been registered as
> "/.well-known/"?

> I became aware of an exploit that pertains to using version control and
> wanted to post an update to my version control webinar.
>
> If you are using version control you need to take care to secure these
> directories from Apache, it's not enough to just have directory access
> turned off, you need to explicitly disallow these ( or all . ) depending on
> your setup but to protect version control you should add the following to
> the site.conf file (or the whole httpd.conf) in Apache:
>
>  # Disallow viewing of .svn and .git and .hg directory contents
>  <Directory ~ \.(svn|git|hg)>
>    Order allow,deny
>    Deny from all
>  </Directory>
>
> This resolved an issue I discovered where .git/config is viewable revealing
> config information used to assign blame and format patches.
>
> This is crucial for .svn as subversion creates multiple .svn files in every
> node of a repository.
>
> Brian Loomis
> http://www.virtualrelations.us
> (208) 639-2569 - 208 NEW BLOX
> -- email checked daily --
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>

> On 10/28/09 at 1:43 PM, brian@... (Brian Loomis) wrote:
>
>> I haven't tested this because I'm not using svn but I think my post may will not wildcard for
>> *.svn.
>
> This rule works for .svn directories:
>
> # Disallow .svn directory and contents
> <Directory ~ \.(svn)>
>    Order allow,deny
>    Deny from all
> </Directory>
>
> --Eric
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>