Closed Bug 57161 Opened 25 years ago Closed 24 years ago

file can contain a password, shouldn't be readable

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Product:
Bugzilla
Component:
Bugzilla-General
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Bugzilla 2.12

People

(Reporter: uamjet602, Assigned: barnboy)

References

(
URL
)

Details

This file contains the password for the bugs user in the database if there is one. It shouldn't be possible to display this file using an URL. The documentation should really mention that one should create a .htaccess file saying that this file should not be displayed.
Adding barnboy@imall.com to CC as this is a documentation issue
Tara, reassign this to me would you? I'll get a fix in the Bugzilla Guide Pre3, see if permissions can be adjusted in checksetup.pl, and update the README.
Whiteboard: 2.14
-> barnboy@imall.com
Assignee: tara → barnboy
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
I don't agree that we should worry about documenting the creation of a .htaccess file to control access -- a simple .htaccess file included with the Bugzilla distribution would solve this nicely : ) But information regarding securing Bugzilla needs to be in the Guide. I will check an appropriate .htaccess file in as well as document appropriate controls in the Guide too.
AIUI .htaccess only works on Apache. We still need to document this in case people use other web servers. Gerv
I have put the relevant information into the Bugzilla Guide now, instructing to disallow access to $BUGZILLA_HOME/localconfig and $BUGZILLA_HOME/data/ except for data/comments. I should be checking the change in tonight or tomorrow morning. I mention that the .htaccess files are *not* effective for anything other than Apache or NCSA; I am unsure of if iPlanet honors .htaccess controls. I have placed the following .htaccess files in these locations in my local cvs repository (I would appreciate your buyoff in a comment before I check them in, I plan on checking in late tonight or early tomorrow morning) $BUGZILLA_HOME/data/ --begin .htaccess <Files comments> allow from all </Files> deny from all --end .htaccess $BUGZILLA_HOME/shadow/ --begin .htaccess deny from all --end .htaccess $BUGZILLA_HOME/ <Files localconfig> deny from all </Files> allow from all I am marking these bugs as *resolved fixed* since the fix remains simply to check into CVS. If you disagree with this assessment, feel free to reopen the bug : )
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Allow me to caveat: *I* will be checking this into CVS tonight : )
This stuff should surely go into the README.
In search of accurate queries.... (sorry for the spam)
Target Milestone: Bugzilla 2.14 → Bugzilla 2.12
REOPENing. No .htaccess as yet. :-) Please close bugs after checking in fixes. Gerv
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
stuck a blurb in the readme.
V. This is documented adequately in the README and Bugzilla Guide.
Status: RESOLVED → VERIFIED
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.