WebFaction
Community site: login faq

Hi, I am deploying my projects with Git. I know that the popular approach to Git deployment is: "to create bare repositories each checked out to a "working" area, which use a post-receive hook to update the actual files served by the website."

However, for some CMS websites, I need to include in the version control the changes made by the website users (for example, when they upload a picture).

What would be a good approach for this case?

What I did, is to set up a repo (no bare) in the ~/webapps/cms directory itself, so I can also commit the changes made there, but I'm wondering if that poses a security risk? since the special .git folder would be exposed in a web-accesible folder.

Any ideas and thoughts are appreciated.

asked 13 Oct '12, 10:47

teks's gravatar image

teks
31125
accept rate: 0%


This sounds like a fine approach, although you are correct that exposing the .git directory is insecure. However, you can hide it similarly to how you would normally hide a .htaccess and .htpasswd file:

# hide .htaccess and .htpasswd:
<FilesMatch "^.ht">
order allow,deny
deny from all
</FilesMatch>

using something like this instead:

# hide entire .git directory
# place this in a .htaccess file *inside* the .git directory
order allow,deny
deny from all

Since you're hiding an entire directory, you would place this inside of .git/.htaccess instead of the root-level .htaccess file. Also, since you're using .htaccess, you would need to ensure that this is running under a "Static/CGI/PHP" application type rather than a "Static Only (no .htaccess)" application.

Hope that helps!

permanent link

answered 13 Oct '12, 19:31

ryans's gravatar image

ryans ♦♦
5.0k42755
accept rate: 43%

edited 13 Oct '12, 19:37

Thank you. The idea is good, but I'd rather not touch the inside of .git directory for things not related to the git system itself. I'm worried that there might be unexpected/silent consequences. Is there any way to setup something like this but on the app-root-level .htaccess file?

(14 Oct '12, 10:45) teks teks's gravatar image

You could maybe try the DirectoryMatch directive in a .htaccess in the app root directory.

http://httpd.apache.org/docs/2.2/mod/core.html#directorymatch

(14 Oct '12, 11:08) bmeyer71 ♦♦ bmeyer71's gravatar image

Would you please give an usage example? I tried without luck (500 Internal Server Error) the following:

<DirectoryMatch \.git>
   Order allow,deny
   Deny from all
</DirectoryMatch>

And what about "Directory" directive?

(14 Oct '12, 14:47) teks teks's gravatar image

I believe what you have should work. Just change .git to "^/.git" don't forget the quotes.

(14 Oct '12, 14:51) bmeyer71 ♦♦ bmeyer71's gravatar image

Hmm no. I tried "^/.git", "^/.git/", "^/\.git", and several combinations but I think I'm not just going to guess it... Regular expressions are not my thing:/

(14 Oct '12, 15:05) teks teks's gravatar image

Maybe open a support ticket so we can take a closer look at what you have. Please provide the url you are testing with in the ticket.

(14 Oct '12, 15:17) bmeyer71 ♦♦ bmeyer71's gravatar image
showing 5 of 6 show 1 more comments

I just wanted to let you know that I blocked/hide the .git folder using the following .htaccess code in the app root directory:

RewriteRule \.git - [R=403,L]

You can change it to R=404 if you want a discreet 404 instead. Of course, don't forget to add RewriteEngine On at the beginning.

I couldn't make DirectoryMatch work. It would be nice if some of you share a tested/working code of this, just to have one more alternative.

permanent link

answered 05 Mar '13, 13:01

teks's gravatar image

teks
31125
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×106
×68

question asked: 13 Oct '12, 10:47

question was seen: 2,509 times

last updated: 05 Mar '13, 13:01

WEBFACTION
REACH US
SUPPORT
AFFILIATE PROGRAM
LEGAL
© COPYRIGHT 2003-2016 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM