Capistrano Security Issue – SVN info often publicly viewable
Andrew Birkett has stumbled across an interesting side effect of using SVN checkouts for deploying Rails applications in that, without adequate protection, SVN metadata is made available for all to see. In many cases this means you can see the revision number, the username of the last person to commit or update, and information about the SVN repository used. Andrew links to SVN files found at 37signals.com, Penny Arcade, and StrongSpace, which, at the time of writing, are all still viewable by the public. Luckily this problem is easily fixed by using svn export or a mod_rewrite rule. (I haven't tested this yet, but in theory I think this rewrite rule could work:
RewriteRule ^.*.svn.*$ [F] )
I was going to e-mail some of these folks about it, but my mail program is not showing that I have addresses for any of the people at these companies, so.. this is the best way to get the news out especially since a lot of other readers are bound to have applications out there susceptible to this.