possible security vulnerability on gnucash.org

Derek Atkins warlord at MIT.EDU
Tue Oct 27 13:23:19 EDT 2009


I don't see it as a major issue.. There's nothing in that data that
isn't available to anyone with an SVN client.  The website content is
publically readable in SVN, and there's nothing in the SVN metadata that
should be private, AFAIK.

-derek

Damian Dimmich <djd20 at kent.ac.uk> writes:

> Hi,
>
> One easy way to get around this is to add the following at the start
> of your apache config:
>
> RewriteEngine On
> RewriteRule ^(.*/)?\.svn/ - [R=404,L]
>
> and making sure that you have mod_rewrite enabled.
>
> Cheers,
> Damian
>
> Konstantin Leonov wrote:
>> Hi there.
>>
>> I guess this info should not be available: http://gnucash.org/.svn/entries
>> If you'd like to fix that, remove site contents from svn or:
>>  1. copy stuff to other location
>>  2. commit it with svn.
>> Putting site root under svn will result in all files to be shown in
>> .svn/entries for each directory included in repo.
>>
>> Konstantin.
>>
>>   
>
> _______________________________________________
> gnucash-devel mailing list
> gnucash-devel at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-devel
>
>

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available


More information about the gnucash-devel mailing list