Ruby Weekly is a weekly newsletter covering the latest Ruby and Rails news.

Capistrano Security Issue – SVN info often publicly viewable

By Peter Cooper / March 6, 2007

Andrew Birkett has stumbled across an interesting side effect of using SVN checkouts for deploying Rails applications in that, without adequate protection, SVN metadata is made available for all to see. In many cases this means you can see the revision number, the username of the last person to commit or update, and information about the SVN repository used. Andrew links to SVN files found at 37signals.com, Penny Arcade, and StrongSpace, which, at the time of writing, are all still viewable by the public. Luckily this problem is easily fixed by using svn export or a mod_rewrite rule. (I haven't tested this yet, but in theory I think this rewrite rule could work: RewriteRule ^.*.svn.*$ [F] )

I was going to e-mail some of these folks about it, but my mail program is not showing that I have addresses for any of the people at these companies, so.. this is the best way to get the news out especially since a lot of other readers are bound to have applications out there susceptible to this.

Comments

  1. Dee Zsombor says:
    March 6, 2007 at 6:24 am

    Or you could just use "svn export" instead of "svn co", this not only will be more secure but will yield a more snappier deploy too. Quite simple to implement by adding "set :checkout, :export" line into your capistrano deploy script.

  2. topfunky says:
    March 6, 2007 at 6:26 am

    Dan Benjamin discovered this almost a year ago and presented a solution:

    http://hivelogic.com/narrative/articles/preventing_svn_exposure

    The default RailsMachine install (available as a gem) inclues an Apache config that guards against this, so there are plenty of resources out there for people who want to deploy Rails safely.

  3. Ezra says:
    March 6, 2007 at 7:16 am

    You can also just do this in your cap recipe:

    set :checkout, 'export'

    Then it will do an svn export with no .svn files.

  4. Anatol Pomozov says:
    March 6, 2007 at 9:15 am

    Ezra.

    It should be done by default. I have no clue why Capistrano guys ignore this issue.

  5. Ted Han says:
    March 6, 2007 at 2:43 pm

    I think what's most interesting to note is that if this is known, is that the .svn dirs are still accessible on so many sites that are explicitly known for using capistrano.

  6. Philip Hallstrom says:
    March 6, 2007 at 3:45 pm

    If using apache, add this to your configuration which will result in a nice 404 instead of a 403 (not authorized) result for anything in the .svn directories.

    ErrorDocument 403 /404.html
    Order allow,deny
    Deny from all
    Satisfy All

  7. Philip Hallstrom says:
    March 6, 2007 at 3:46 pm

    Argh.

    <DirectoryMatch "^/.*/\.svn/">
    ErrorDocument 403 /404.html
    Order allow,deny
    Deny from all
    Satisfy All
    </DirectoryMatch>

  8. cap noob says:
    March 6, 2007 at 5:54 pm

    Ezra,
    I'm a cap noob, when you say cap recipe do you mean deploy.rb?

  9. Kevin says:
    March 8, 2007 at 3:20 pm

    Props for thinking this through and coming to a logical conclusion, but some better googling would have shown this issue was raised and solved by using svn export over a year ago. If some 37 signals sites are still showing these files, then they screwed up. I agree that export should be the default - does a public site need to run from a working copy? Not usually.

    You might need to google for 'switchtower' (the old name) to find the right info. http://clickablebliss.com/blog/2006/01/17/switchtower_0_10_now_offers_svn_export/

Other Posts to Enjoy

Twitter Mentions