Open LoganTann opened 2 years ago
The app is open-source so the information that would be displayed is already public, but I agree it is a good practice to prevent access to the .git/
folder.
Do you want to submit a PR that adds this rule to .htaccess
?
New issue
Your environment
Please answer these questions when reporting a new issue:
What is your operating system (Windows, Linux, OSX, etc.)? : Ubuntu Server 20.04
What is your web server (Apache, IIS, etc.)? : Apache
What version of AllTube are you using? : branch develop, commit 835170f
How did you install AllTube (with Git or with a release package)? : git
What version of PHP are you using? : 8.1
What version of Python are you using? : 3.8.10
What version of youtube-dl are you using? : 2020-03-24
Do you get any PHP-related errors in your webserver's logs?: no
What is the content of your
config/config.yml
file? : same config as #384Please provide the URL of a video that causes the issue. : not related
Describe your issue
It isn't possible to access the .git folder, but requesting
http://alltube.<domain>/.git/HEAD
will work. Since the git folder haves a well known structure, it is possible to copy the whole local repository. Leaving the git folder accessible in prod is a security issue (see https://gaurav5430.medium.com/web-security-exposed-git-folder-in-production-51ad9484dee0)It is the same for the config file. I think this is a good idea to add a rule in the htaccess file that will prevent some sensitive files/folder to be accessed through apache