I have a website which is in git, so it has a .git folder. While I’ve configured Apache to not serve files/folders that start with a dot, Someone has been able to access files within the .git directory by using a double backslash at beginning of the request URI.
In other words, the following URL returns a forbidden 403 as it should:
http://www.example.com/.git/objects/02/xxxxxxxxxxxxxxxxxxx
But, if you use the following URL, it serves the file:
http://www.example.com//.git/objects/02/xxxxxxxxxxxxxxxxxxx
I’ve been unable to figure out a solution that prevents this without using the rewrite engine. I can do a rewrite if necessary, but is there a simpler configuration that would prevent this access? More importantly, I’d like to know why this happens. What causes Apache to bypass all the restrictions just by putting an extra slash in there?