Closed Bug 374046 Opened 17 years ago Closed 16 years ago

Access control in discussions subdirectories restricted to some methods

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect)

Product:
addons.mozilla.org Graveyard
Component:
Public Pages
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: lorchard)

References

Details

Attachments

(1 file, 1 obsolete file)

Revised .htaccess files denying all access, except for theme directories with CSS / images
3.20 KB, patch
wenzel
: review+
Details | Diff | Splinter Review 
/app/webroot/discussions/ has several subdirectories with .htaccess files like this one:

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>

Why are only GET, POST and PUT denied? Am I still allowed to access the directory using the HEAD method? From http://httpd.apache.org/docs/2.0/mod/core.html#limit:

"In the general case, access control directives should not be placed within a <Limit> section."

Note that I still got 403 Forbidden when trying to access some file using the HEAD method but I guess it was the cache server translating HEAD into GET.
Assignee: nobody → laura
Target Milestone: --- → 3.4.5
Pushing out all these discussions bugs to 3.4.6
Target Milestone: 3.4.5 → 3.4.6
Assignee: laura → lorchard
Revised the .htaccess files and added one for themes/ (for bug 374045) which deny access to *.php rather than deny by method, since that seems to have been the original purpose for the out-of-box Vanilla versions.
Attachment #329102 - Flags: review?(laura)
Comment on attachment 329102 [details] [diff] [review]
Revised .htaccess files denying access to *.php rather than by method

In the conf dir, there's a readme which will be exposed by these.  Also, what if somebody adds a .inc etc file?  Would it be better to just have an unrestricted <Limit> ?
I think just dropping the <Limit> tag will be better - why should it be possible to access these directories from the web?
Okay, new patch.  Dropping all limit tags to deny all web access to the Vanilla lib directories, adding another couple of .htaccess files to re-allow access to CSS and images per bug 374045
Attachment #329102 - Attachment is obsolete: true
Attachment #330273 - Flags: review?(laura)
Attachment #329102 - Flags: review?(laura)
Attachment #330273 - Flags: review?(fwenzel)
When you introduce a rule for /themes, won't that apply to all subdirectories as well? I think so, so there's no reason to repeat the same ones in subdirectories again.

Also, if you're solving bug 374045 in here, will you dupe it to this?
Attachment #330273 - Flags: review?(laura)
Attachment #330273 - Flags: review?(fwenzel)
Attachment #330273 - Flags: review-
The rule for /themes is to deny all, which is overridden to allow all in the individual theme directories with CSS and image files.  Is that what you're seeing...?  If so, it's not a repeat.  

I'll also dupe bug 374045 to this one - this one is more inclusive.

Comment on attachment 330273 [details] [diff] [review]
Revised .htaccess files denying all access, except for theme directories with CSS / images

See, had I read the patch right, I'd have noticed that. ;)

Sorry. Yes, this makes so much more sense than what I imagined before.
Attachment #330273 - Flags: review- → review+
Fixed in r17169
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: