Version control software is very popular among web developers. The most used tool might be Git. Unfortunately the repository directory, e.g. .git is often unprotected in production environments. These folders not only contain the source code of a website but also database credentials, API access keys or tokens for popular cloud services like Amazon AWS, salts and hashes. Even more problematic is private data contained in sql dumps or csv files.
Studies e.g. by Internetwache.org or Jamie Brown show that a reasonable amount of websites is affected by this problem.
There are a lot of tools available which offer the possibility to download entire Git or Subversion repositories even if directory listing is denied.
To check if your Git folder is accessible via web just point your browser to www.domain.tld/.git/config. If you receive an error message, everything is fine. Otherwise you should protect your installation as soon as possible.
How to disable web access:
Apache
The easiest approach is the global web server configuration, e.g. /etc/apache2/conf.d/security or vhost configuration:
<DirectoryMatch "/\.git"> Require all denied </DirectoryMatch>
<DirectoryMatch "/\.svn"> Require all denied </DirectoryMatch>
In shared hosting environments without direct access to the vhost configuration you can use the .htaccess file to deny access to repository folders:
RewriteEngine On RewriteRule .git - [L,R=404] RewriteRule .svn - [L,R=404]
Nginx
location ~ /.git/ {
deny all;
}
Put this snippet to the server-block of the nginx.conf file.
IIS 7+
<configuration> <system.webServer> <security> <requestFiltering> <hiddenSegments> <add segment=".git" /> <add segment=".svn" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration>
This snippet must be placed in the web.config file or via the GUI.
By the way: all recent versions of TYPO3 already contain a protection for .git, .svn and .hg folders in the _.htaccess file. Simply rename the file to .htaccess to protect your installation.
