Shulou(Shulou.com)06/01 Report--

This article is about the analysis of problems caused by .git. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Recently, a small program, architecture Linux+Apache+Mysql+PHP (Thinkphp3.2), was launched. When doing the system, I only considered some basic security, such as csrf,sql injection, etc., but I didn't expect to fall down on git. The project uses a git version controller. When you pull a project, a hidden .git file, which is also a git driver file, is automatically created under your project folder. With it, you can use git for code management locally. The project has always been Thinkphp3.2, and the Nginx used by the server has never happened (because Nginx validates it).

For example, we visit the use of a website, http://xx/.git/index, and then automatically download one.

Then we can simply use notepad to open it.

Uh... Unexpectedly, it was the directory structure in your git code manager, and then we were able to download the directory structure of the entire project through a Mini Program written in python shared by a great god on github.

After that, through log analysis, you can get some account information of the administrator of the website, so that you can get some key information of the website, and then you can log in to the background of the website.

Well, having said so much, I still tell you how to solve this problem. In fact, if you generally pay attention to it, you won't make such a low-level mistake, but it's good to find out and modify it in time.

1. If your server is apache, then you will do this

(1) modify the configuration file of apache (the installation directory may be different, you can modify it by comparison)

Vim / etc/httpd/httpd.conf

1) first turn on rewriting, and then

RewriteEngine on

RewriteRule ^. Git-[Fmai L]

That's ok. You have a choice.

Apache forbids access to .git, .svn and other directories by configuring .htaccess files

Or modify the httpd.conf as I did, because I redirected the route, so I chose to modify the configuration file

(2) restart apache

/ usr/local/apache2/bin/apachectl restart

If you use Thinkphp5.0+ or laravel, congratulations, you don't have to worry, because the directory and public are not at the same level (if public is configured)

2. If you are using Nginx

If rewriting is configured in this way, the route will not be found at all, so that problem will not occur.

Thank you for reading! This is the end of this article on ".git problem analysis". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.