https://bugs.koozali.org/show_bug.cgi?id=12404
Bug ID: 12404
Summary: Allow directory listing does not block file access
Classification: Contribs
Product: SME Contribs
Version: 10.0
Hardware: ---
OS: ---
Status: CONFIRMED
Severity: normal
Priority: P3
Component: smeserver-webhosting
Assignee: [email protected]
Reporter: [email protected]
QA Contact: [email protected]
Target Milestone: ---
I had a test server which had a web app pulled from git.
I disabled directory listing via the web panel but it was scanned and reported
by https://www.repo-lookout.org/
Although directory listing was disabled, you could access individual files eg
/.git/logs/config
I utilised a large hammer to stop this - crude but seemingly effective.
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/20DisableGitAccess
# Disable remote git access
RedirectMatch 403 ^/.*/\.git/.*$
RedirectMatch 403 ^/\.git/.*$
We ought to probably look at a more refined version of this. Per ibay, and do
we block other hidden directories?
Should this be a default in the core itself?
--
You are receiving this mail because:
You are the QA Contact for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
