Closed Bug 57161 Opened 24 years ago Closed 24 years ago

file can contain a password, shouldn't be readable

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla 2.12

People

(Reporter: uamjet602, Assigned: barnboy)

References

(
URL
)

Details

This file contains the password for the bugs user in the database if there is
one. It shouldn't be possible to display this file using an URL.

The documentation should really mention that one should create a .htaccess file
saying that this file should not be displayed.
Adding barnboy@imall.com to CC as this is a documentation issue
Tara, reassign this to me would you?
I'll get a fix in the Bugzilla Guide Pre3, see if permissions can be adjusted in checksetup.pl, and update the README.
Whiteboard: 2.14
-> barnboy@imall.com
Assignee: tara → barnboy
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
I don't agree that we should worry about documenting the creation of a .htaccess
file to control access -- a simple .htaccess file included with the Bugzilla
distribution would solve this nicely : )

But information regarding securing Bugzilla needs to be in the Guide.  I will
check an appropriate .htaccess file in as well as document appropriate controls
in the Guide too.
AIUI .htaccess only works on Apache. We still need to document this in case 
people use other web servers.

Gerv
I have put the relevant information into the Bugzilla Guide now, instructing
to disallow access to $BUGZILLA_HOME/localconfig and $BUGZILLA_HOME/data/ except
for data/comments.  I should be checking the change in tonight or tomorrow
morning.  I mention that the .htaccess files are *not* effective for anything
other than Apache or NCSA; I am unsure of if iPlanet honors .htaccess controls.

I have placed the following .htaccess files in these locations in my local cvs
repository (I would appreciate your buyoff in a comment before I check them in,
I plan on checking in late tonight or early tomorrow morning)

$BUGZILLA_HOME/data/
--begin .htaccess
<Files comments>
allow from all
</Files>
deny from all
--end .htaccess

$BUGZILLA_HOME/shadow/
--begin .htaccess
deny from all
--end .htaccess

$BUGZILLA_HOME/
<Files localconfig>
deny from all
</Files>
allow from all

I am marking these bugs as *resolved fixed* since the fix remains simply to
check into CVS.  If you disagree with this assessment, feel free to reopen the
bug : )
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Allow me to caveat: *I* will be checking this into CVS tonight : )
This stuff should surely go into the README.
In search of accurate queries....  (sorry for the spam)
Target Milestone: Bugzilla 2.14 → Bugzilla 2.12
REOPENing. No .htaccess as yet. :-) Please close bugs after checking in fixes.

Gerv
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
stuck a blurb in the readme. 
V.  This is documented adequately in the README and Bugzilla Guide.
Status: RESOLVED → VERIFIED
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.