Page MenuHomePhabricator

Microsites exposing git folder
Closed, ResolvedPublicSecurity

Description

Similar to {T294917}.

The following microsites expose their .git folder to the web. While this isn't necessarily an issue for ourselves as the repos are public, they do result in some false positive security reports.

https://analytics.wikimedia.org/.git/config
https://annual.wikimedia.org/.git/config
https://bienvenida.wikimedia.org/.git/config
https://design.wikimedia.org/.git/config
https://research.wikimedia.org/.git/config

Details

Risk Rating
Low
Author Affiliation
WMF Technology Dept

Event Timeline

Reedy triaged this task as Lowest priority.Apr 20 2022, 12:19 PM
Reedy updated the task description. (Show Details)
Mstyles moved this task from Incoming to In Progress on the Security-Team board.
Mstyles subscribed.

Going to see whether this can be addressed in the repo or on the webserver to prevent the ,git folder from appearing on the web

sbassett reassigned this task from Mstyles to Lucas_Werkmeister_WMDE.
sbassett moved this task from In Progress to Our Part Is Done on the Security-Team board.
sbassett subscribed.

Rad, thanks. This definitely appears to fix the URLs mentioned within the task description.

sbassett changed Author Affiliation from N/A to WMF Technology Dept.Jul 19 2022, 5:17 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".