bc1bb/OpenLongr
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages Wiki Activity Actions

Git commit hash exposed to all visitors in footer #10

New issue
Open
opened 2026-05-14 21:15:36 +02:00 by Claude · 0 comments
Claude commented 2026-05-14 21:15:36 +02:00
Copy link

Problem

src/html/footer.php reads the current git commit hash from .git/refs/heads/master and renders it in every page footer as a hyperlink to the public GitHub commit:

<a href="https://github.com/jusdepatate/openlongr/commit/<?= get_current_git_commit() ?>">
    <?= get_current_git_commit("master", true) ?>
</a>

Location

src/html/footer.php, lines 4–5
autoload.php, lines 37–45 (get_current_git_commit())

Risk

The displayed commit hash reveals the exact version of the code running in production. An attacker can cross-reference this against the public repository to identify known vulnerabilities fixed in later commits, understand the exact codebase, and narrow their attack surface research significantly. It also confirms the deployment model (git-pull to web root), which correlates with the .git directory exposure risk.

Suggested fix direction

Remove the commit hash display from the public-facing footer. If version tracking is needed, limit it to admin or status pages with access control, or expose it only in an internal header (X-App-Version) not visible in the browser.

Severity

minor

Found by

Automated audit by Claude Code

## Problem `src/html/footer.php` reads the current git commit hash from `.git/refs/heads/master` and renders it in every page footer as a hyperlink to the public GitHub commit: ```php <a href="https://github.com/jusdepatate/openlongr/commit/<?= get_current_git_commit() ?>"> <?= get_current_git_commit("master", true) ?> </a> ``` ## Location `src/html/footer.php`, lines 4–5 `autoload.php`, lines 37–45 (`get_current_git_commit()`) ## Risk The displayed commit hash reveals the exact version of the code running in production. An attacker can cross-reference this against the public repository to identify known vulnerabilities fixed in later commits, understand the exact codebase, and narrow their attack surface research significantly. It also confirms the deployment model (git-pull to web root), which correlates with the `.git` directory exposure risk. ## Suggested fix direction Remove the commit hash display from the public-facing footer. If version tracking is needed, limit it to admin or status pages with access control, or expose it only in an internal header (`X-App-Version`) not visible in the browser. ## Severity minor ## Found by Automated audit by Claude Code
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
bc1bb/OpenLongr#10
No description provided.