RISC OS Open
Safeguarding the past, present and future of RISC OS for everyone
ROOL
Home | News | Downloads | Bugs | Bounties | Forum | Documents | Photos | Contact us
Account

Previous|Next

  • Tickets
  • » Ticket #80

Ticket #80 (Fixed)Fri Oct 27 16:37:06 UTC 2006

Find solution to sensitive files held in SVN

Reported by: Andrew Hodgkinson (6) Severity: Normal
Part: Repository: Subversion Release:
Milestone: Status Fixed

Details by Andrew Hodgkinson (6):

Rails database.yml configuration files contain the database access password. Since the database listens on Unix domain sockets anyway this information is not immediately useful, but it’s still not good to have such information exposed and present potential hackers with data that could be very helpful in an attack.

Other than simply checking in all SVN sources to a clean, new repository in the ROOL account, losing the revision history – which might actually be desirable in some respects, but we’d have to clear the tickets database too since it refers to Changesets that would vanish – is there a way of nuking those files without killing the rest of the repository?

As a side note, the chances of accidentally committing the same file again in a future update are relatively high so it isn’t necessarily worth bothering to address this problem unless the commit aspect is considered too.

Changelog:

Modified by Andrew Hodgkinson (6) Fri, November 10 2006 - 21:48:56 GMT

See also Ticket #87, which faces a related issue.

Modified by Andrew Hodgkinson (6) Fri, December 01 2006 - 17:49:48 GMT

  • Status changed from Open to Fixed

Uncomfortable though exposing a password in a database.yml might feel, there really is no way to access the database from outside the server. If someone has already got far, database.yml files are the very last of anyone’s worries.

These files don’t contain truly sensitive data. In time, it may be necessary to come up with a scheme to block certain files from access, but that time hasn’t come yet. Hopefully I wont’ regret it :-) but for now I’m going to close the ticket.

  • Comment on, or change status of, this ticket

Previous|Next

Search tickets

Social

Follow us on and

ROOL Store

Buy RISC OS Open merchandise here, including SD cards for Raspberry Pi and more.

Donate! Why?

Help ROOL make things happen – please consider donating!

RISC OS IPR

RISC OS is an Open Source operating system owned by RISC OS Developments Ltd and licensed primarily under the Apache 2.0 license.

Options

  • Tickets
  • New ticket
  • Milestones
  • Subversion: Changesets
  • Subversion: Browse
  • CVS: Revisions
  • CVS: Browse
  • Search

RSS feeds Rss

  • Tickets
  • Everything!
  • More feeds...
Site design © RISC OS Open Limited 2018 except where indicated
The RISC OS Open Collaboa theme is distantly based on the Collaboa default layout

Valid XHTML 1.0  |  Valid CSS

Powered by Collaboa
This site runs on Rails

Hosted by Arachsys