|
|
|
|
|
|
by tterrace
4419 days ago
|
|
|
"Put the secret into your shared/.rbenv-vars file"... and then say goodbye to them! http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0... . I don't think keeping your secrets in a file accessible to the web server is a good idea because of LFI vulns like this. Some other ideas that I've heard that may be better: store the secrets on a separate "offline" server that only the web server can talk to. Or have the file readable only by root, run a bootstrap script as root that would read the file, drop root privs, and then start the webserver. |
|
|