Setup Conflict
Issue #16
resolved
On my shared hosting, the files listed below have now been placed inside a directory called, "bitbucket-sync" which resides inside "public_html" directory.
- public_html
- bitbucket-sync
- commits directory
- config.php
- deploy.php
- gateway.php
- index.php
- README.md
- bitbucket-sync
BTW, all seems to be working, however…
The README.md says:
Copy the source files to your web-server in a location which is accessible from the internet (usually
public_html
, orwww
folders).
On contrary, the readme.txt inside the "commits" folder states:
Ideally, this folder should be placed out of reach from public (outside www or public_html directories).
I'm confused about the correct way to set this up. I don't want to promote a vulnerability all because I placed these files incorrectly.
Comments (3)
-
repo owner -
repo owner -
repo owner - changed status to resolved
If you need further clarifications, you can update this ticket.
- Log in to comment
First off, as long as the config.php file specifies the correct path to
commits
folder, the script should run fine, regardless of the actual location.Now, for the vulnerability part, if you're concerned that someone might access the
commits
folder through the internet and read the information about your pushes, then you can movecommits
outsidepublic_html
. This is not a real vulnerability, but rather a harmless information leak (if someone know what files you changed, they cannot do much about it, or if they know your repository name, that's OK if the repo is private). Moreover, the files incommits
have a shore lifespan (until the actual deployment is performed after a push, which can be immediately after the POST service hook is triggered if your configuration hasautomaticDeployment
ontrue
).However, if you would like to be super-safe, simply move that folder outside
public_html
, or protect it through a.htaccess
file.