Closed
Bug 57161
Opened 24 years ago
Closed 24 years ago
file can contain a password, shouldn't be readable
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
VERIFIED
FIXED
Bugzilla 2.12
People
(Reporter: uamjet602, Assigned: barnboy)
References
()
Details
This file contains the password for the bugs user in the database if there is one. It shouldn't be possible to display this file using an URL. The documentation should really mention that one should create a .htaccess file saying that this file should not be displayed.
Comment 1•24 years ago
|
||
Adding barnboy@imall.com to CC as this is a documentation issue
Assignee | ||
Comment 2•24 years ago
|
||
Tara, reassign this to me would you? I'll get a fix in the Bugzilla Guide Pre3, see if permissions can be adjusted in checksetup.pl, and update the README.
Updated•24 years ago
|
Whiteboard: 2.14
Comment 4•24 years ago
|
||
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
Assignee | ||
Comment 5•24 years ago
|
||
I don't agree that we should worry about documenting the creation of a .htaccess file to control access -- a simple .htaccess file included with the Bugzilla distribution would solve this nicely : ) But information regarding securing Bugzilla needs to be in the Guide. I will check an appropriate .htaccess file in as well as document appropriate controls in the Guide too.
Comment 6•24 years ago
|
||
AIUI .htaccess only works on Apache. We still need to document this in case people use other web servers. Gerv
Assignee | ||
Comment 7•24 years ago
|
||
I have put the relevant information into the Bugzilla Guide now, instructing to disallow access to $BUGZILLA_HOME/localconfig and $BUGZILLA_HOME/data/ except for data/comments. I should be checking the change in tonight or tomorrow morning. I mention that the .htaccess files are *not* effective for anything other than Apache or NCSA; I am unsure of if iPlanet honors .htaccess controls. I have placed the following .htaccess files in these locations in my local cvs repository (I would appreciate your buyoff in a comment before I check them in, I plan on checking in late tonight or early tomorrow morning) $BUGZILLA_HOME/data/ --begin .htaccess <Files comments> allow from all </Files> deny from all --end .htaccess $BUGZILLA_HOME/shadow/ --begin .htaccess deny from all --end .htaccess $BUGZILLA_HOME/ <Files localconfig> deny from all </Files> allow from all I am marking these bugs as *resolved fixed* since the fix remains simply to check into CVS. If you disagree with this assessment, feel free to reopen the bug : )
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 8•24 years ago
|
||
Allow me to caveat: *I* will be checking this into CVS tonight : )
Comment 9•24 years ago
|
||
This stuff should surely go into the README.
Comment 10•24 years ago
|
||
In search of accurate queries.... (sorry for the spam)
Target Milestone: Bugzilla 2.14 → Bugzilla 2.12
Comment 11•24 years ago
|
||
REOPENing. No .htaccess as yet. :-) Please close bugs after checking in fixes. Gerv
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → FIXED
Comment 12•24 years ago
|
||
stuck a blurb in the readme.
Comment 13•23 years ago
|
||
V. This is documented adequately in the README and Bugzilla Guide.
Status: RESOLVED → VERIFIED
Comment 14•23 years ago
|
||
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•