Protect Your git Repository’s .htpasswd
Update 2: WebFaction fixed their installer. You still need to fix this yourself if the repository was created before Jan 13, 2011. (Details here.)
Update: Git repositories created with WebFaction’s git installer are insecure, even when they’re password protected. Some Apache installations are configured out-of-the-box to protect .htpasswd files. That is not the case with WebFaction.
If you’re running a .git repository on WebFaction that was created by following their documentation, then you must:
- Remove the file’s default world-readable permissions, by running chmod o-r .htpasswd
- OR: Prevent the file from being downloaded, by adding the following to .htaccess:
<files ~ "^\.ht"> Order allow,deny Deny from all </files>
Of course, the same applies to any .htpasswd file.
About Me
20 year old undergrad in CS & Physics, co-founder of Freeversation, and former software developer at Check Point.
I am interested in social startups, information security, and robotics. Read more about me
Contact
Email aantny [at] gmail [dot] com. If it's interesting, I can code it.
[...] This post was mentioned on Twitter by Zuissi, Natan Yellin. Natan Yellin said: New blog post: Protect Your git Repository's .htpasswd http://bit.ly/dTPKML [...]
Actually, right bundled Apache does. Debian Apache package provide such a default access rule.
I was wondering about the defaults. Thanks for explaining about Debian.
[...] – and Redmine and git are easy installs anyways. You should be aware that there used to be a security vulnerability in WebFaction’s git installer. The problem has been fixed, but all repositories created before January 13 need to fix the issue [...]