You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-issues@apache.org by "Henning Schmiedehausen (JIRA)" <ji...@apache.org> on 2006/07/12 08:47:30 UTC
[jira] Created: (INFRA-887) Do not allow webservers to server .svn
URLs
Do not allow webservers to server .svn URLs
-------------------------------------------
Key: INFRA-887
URL: http://issues.apache.org/jira/browse/INFRA-887
Project: Infrastructure
Type: Bug
Security: public (Regular issues)
Components: HTTP Server
Reporter: Henning Schmiedehausen
open http://httpd.apache.org/.svn/text-base/ in a browser.
Bad. Please add a rule to the global http configuration that forbids serving /.svn/ URLs.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (INFRA-887) Do not allow webservers to server .svn
URLs
Posted by "Henri Yandell (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/INFRA-887?page=all ]
Henri Yandell resolved INFRA-887.
---------------------------------
Resolution: Won't Fix
Garrett's point is good enough I think - we'll not fix this.
> Do not allow webservers to server .svn URLs
> -------------------------------------------
>
> Key: INFRA-887
> URL: http://issues.apache.org/jira/browse/INFRA-887
> Project: Infrastructure
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: HTTP Server
> Reporter: Henning Schmiedehausen
>
> open http://httpd.apache.org/.svn/text-base/ in a browser.
> Bad. Please add a rule to the global http configuration that forbids serving /.svn/ URLs.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (INFRA-887) Do not allow webservers to server
.svn URLs
Posted by "Garrett Rooney (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/INFRA-887?page=comments#action_12420712 ]
Garrett Rooney commented on INFRA-887:
--------------------------------------
Considering that everything within the .svn directories is publicly visible anyway, it's not like fixing this is a priority, especially with the load issues on ajax.
> Do not allow webservers to server .svn URLs
> -------------------------------------------
>
> Key: INFRA-887
> URL: http://issues.apache.org/jira/browse/INFRA-887
> Project: Infrastructure
> Type: Bug
> Security: public(Regular issues)
> Components: HTTP Server
> Reporter: Henning Schmiedehausen
>
> open http://httpd.apache.org/.svn/text-base/ in a browser.
> Bad. Please add a rule to the global http configuration that forbids serving /.svn/ URLs.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (INFRA-887) Do not allow webservers to server
.svn URLs
Posted by "Joe Schaefer (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/INFRA-887?page=comments#action_12420659 ]
Joe Schaefer commented on INFRA-887:
------------------------------------
Oops, I incorrectly thought that members who
request a shell access to a box are entitled to it,
but I'm told that's not the case.
The problem with resolving this issue right now
on ajax is that any solution I can think of will impose
a penalty on all requests (probably a pattern match),
and will make the load problem on ajax worse than
it already is. We only get about 100 or so requests
per day to .svn dirs, whereas we get 6M regular ones.
In my opinion, the risk of additional load isn't worth
the reward of blocking a few stray requests. Let's
revisit this issue when the websites are running on
better hardware.
> Do not allow webservers to server .svn URLs
> -------------------------------------------
>
> Key: INFRA-887
> URL: http://issues.apache.org/jira/browse/INFRA-887
> Project: Infrastructure
> Type: Bug
> Security: public(Regular issues)
> Components: HTTP Server
> Reporter: Henning Schmiedehausen
>
> open http://httpd.apache.org/.svn/text-base/ in a browser.
> Bad. Please add a rule to the global http configuration that forbids serving /.svn/ URLs.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (INFRA-887) Do not allow webservers to server
.svn URLs
Posted by "Joe Schaefer (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/INFRA-887?page=comments#action_12420632 ]
Joe Schaefer commented on INFRA-887:
------------------------------------
Henning, I noticed you do not have a shell on ajax.
If you'd like to look into this a bit more closely, I can
create an account for you there.
> Do not allow webservers to server .svn URLs
> -------------------------------------------
>
> Key: INFRA-887
> URL: http://issues.apache.org/jira/browse/INFRA-887
> Project: Infrastructure
> Type: Bug
> Security: public(Regular issues)
> Components: HTTP Server
> Reporter: Henning Schmiedehausen
>
> open http://httpd.apache.org/.svn/text-base/ in a browser.
> Bad. Please add a rule to the global http configuration that forbids serving /.svn/ URLs.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira