Closed
Bug 374046
Opened 17 years ago
Closed 16 years ago
Access control in discussions subdirectories restricted to some methods
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.4.6
People
(Reporter: jwkbugzilla, Assigned: lorchard)
References
Details
Attachments
(1 file, 1 obsolete file)
/app/webroot/discussions/ has several subdirectories with .htaccess files like this one: <Limit GET POST PUT> Order Allow,Deny Deny from All </Limit> Why are only GET, POST and PUT denied? Am I still allowed to access the directory using the HEAD method? From http://httpd.apache.org/docs/2.0/mod/core.html#limit: "In the general case, access control directives should not be placed within a <Limit> section." Note that I still got 403 Forbidden when trying to access some file using the HEAD method but I guess it was the cache server translating HEAD into GET.
Severity: major → normal
Updated•16 years ago
|
Assignee: nobody → laura
Target Milestone: --- → 3.4.5
Comment 1•16 years ago
|
||
Pushing out all these discussions bugs to 3.4.6
Target Milestone: 3.4.5 → 3.4.6
Assignee | ||
Updated•16 years ago
|
Assignee: laura → lorchard
Assignee | ||
Comment 2•16 years ago
|
||
Revised the .htaccess files and added one for themes/ (for bug 374045) which deny access to *.php rather than deny by method, since that seems to have been the original purpose for the out-of-box Vanilla versions.
Assignee | ||
Updated•16 years ago
|
Attachment #329102 -
Flags: review?(laura)
Comment 3•16 years ago
|
||
Comment on attachment 329102 [details] [diff] [review] Revised .htaccess files denying access to *.php rather than by method In the conf dir, there's a readme which will be exposed by these. Also, what if somebody adds a .inc etc file? Would it be better to just have an unrestricted <Limit> ?
Reporter | ||
Comment 4•16 years ago
|
||
I think just dropping the <Limit> tag will be better - why should it be possible to access these directories from the web?
Assignee | ||
Comment 5•16 years ago
|
||
Okay, new patch. Dropping all limit tags to deny all web access to the Vanilla lib directories, adding another couple of .htaccess files to re-allow access to CSS and images per bug 374045
Attachment #329102 -
Attachment is obsolete: true
Attachment #330273 -
Flags: review?(laura)
Attachment #329102 -
Flags: review?(laura)
Assignee | ||
Updated•16 years ago
|
Attachment #330273 -
Flags: review?(fwenzel)
Comment 6•16 years ago
|
||
When you introduce a rule for /themes, won't that apply to all subdirectories as well? I think so, so there's no reason to repeat the same ones in subdirectories again. Also, if you're solving bug 374045 in here, will you dupe it to this?
Updated•16 years ago
|
Attachment #330273 -
Flags: review?(laura)
Attachment #330273 -
Flags: review?(fwenzel)
Attachment #330273 -
Flags: review-
Assignee | ||
Comment 7•16 years ago
|
||
The rule for /themes is to deny all, which is overridden to allow all in the individual theme directories with CSS and image files. Is that what you're seeing...? If so, it's not a repeat. I'll also dupe bug 374045 to this one - this one is more inclusive.
Comment 9•16 years ago
|
||
Comment on attachment 330273 [details] [diff] [review] Revised .htaccess files denying all access, except for theme directories with CSS / images See, had I read the patch right, I'd have noticed that. ;) Sorry. Yes, this makes so much more sense than what I imagined before.
Attachment #330273 -
Flags: review- → review+
Assignee | ||
Comment 10•16 years ago
|
||
Fixed in r17169
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•