Closed
Bug 65572
Opened 24 years ago
Closed 24 years ago
bugzilla's shadow dir allows viewing of bugs without permission
Categories
(Bugzilla :: Bugzilla-General, defect)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
FIXED
Bugzilla 2.12
People
(Reporter: uamjet602, Assigned: barnboy)
References
Details
(Whiteboard: security)
Look at bug 34674. Using a normal bugzilla account (or no account) you will get 'you do not have permission to view this bug'. Now look at http://bugzilla.mozilla.org/shadow/34674 Actual result: shows bug Expected result: Permission denied The shadow directory should contain an .htaccess file disallowing viewing anything from this directory. The documentation and the checksetup script do not mention this.
Comment 1•24 years ago
|
||
Yowsers! Ping endico, dmose.
Comment 2•24 years ago
|
||
Oops, there are hidden bugs? Why is there a need for something like this anyways? I thought this would be an open source project?
Comment 3•24 years ago
|
||
Security bugs mainly. There were Netscape-confidential bugs but they're being added to Bugscape now. But that's irrelevant. This is about Bugzilla, not Mozilla.
Comment 4•24 years ago
|
||
just added a .htaccess file to bugzilla.mozilla.org to keep people out of the shadow directory on bugzilla.mozilla.org. leaving the bug open so the problem can be dealt with in the main codebase.
endico, would you mind telling what .htaccess file you used? I'm no expert in using them, they never do what I intend :)
Comment 7•24 years ago
|
||
I recall Tara mentioning in IRC earlier that she was going to reassign this to Matt for documation review. Guess she didn't get a round tuit.
Assignee: tara → barnboy
Comment 8•24 years ago
|
||
Am I correct in thinking that the shadow directory is only used by oldemailtech? So when we nuke the code for oldemailtech, this problem will go away....
Comment 9•24 years ago
|
||
Dave: correct; killing oldemailtech will kill this bug too.
Comment 10•24 years ago
|
||
Does killing oldemailtech actually wipe the shadow directory, or does it just cause the shadow directory to not get updated any more?
Comment 11•24 years ago
|
||
Shadow directory would no longer get updated. I assume at the point we kill it that checksetup.pl would start deleting it if it existed.
Comment 12•24 years ago
|
||
What needs to be done here for 2.12? Documenting the need for a .htaccess? Dawn - any chance of posting the one you used? Gerv
Comment 13•24 years ago
|
||
I can't say for sure what Dawn used, but the simplest form of .htaccess to solve this appears to be: ------------- begin .htaccess ------------------------------------------ deny from all -------------- end .htaccess -------------------------------------------
Comment 14•24 years ago
|
||
documenting the need for .htaccess would be the easiest fix. Adding something to checksetup.pl to create the file automatically would be better wouldn't it? I have .htaccess files in bugzilla/data and bugzilla/shadow As Jake mentioned, they just contain "deny from all".
Comment 15•24 years ago
|
||
They don't include Dawn's data .htaccess. They seem to be responsible for breaking quip lists and bug charts. =)
Reporter | ||
Comment 16•24 years ago
|
||
If you allow the machine that creates dependency graphs (typically: www.research.att.com) they will probably work. Perhaps the data needs to be split (one dir for (potentially) confidential things like bug description, one dir for public things like the quip list).
Comment 17•24 years ago
|
||
... or perhaps the quip list should be moved to the database finally (bug 67950).
Comment 18•24 years ago
|
||
... or provide access through cgis. But I think the point is that we need to decide what to do for 2.12, which is due RSN.
Comment 19•24 years ago
|
||
ok, in data/, you need this: ----- begin .htaccess ----- <Files comments> allow from all </Files> deny from all ----- end .htaccess ----- That will get the quip list working again.
Comment 20•24 years ago
|
||
hihi if ( FireWall ) { We Need Master Genius } else if ( Software_IP_filter ) { We Need still need Master Genius } else { Your Dead Meat For Sure -:)) }
Updated•24 years ago
|
Whiteboard: 2.12 → 2.12, security
Updated•24 years ago
|
Summary: bugzilla allows viewing of bugs without permission → bugzilla's shadow dir allows viewing of bugs without permission
Comment 21•24 years ago
|
||
moving to real milestones...
Whiteboard: 2.12, security → security
Target Milestone: --- → Bugzilla 2.12
Comment 22•24 years ago
|
||
So, to fix this bug, we check the above .htaccess into the data directory? Gerv
Comment 23•24 years ago
|
||
The above .htaccess will probably break charting.
Comment 24•24 years ago
|
||
I thought charting uses the "graphs" directory now, instead of "data" for this reason...
Comment 25•24 years ago
|
||
I'm only going on b.m.o. If this has changed since 2.10, ignore my above comments.
Assignee | ||
Comment 26•24 years ago
|
||
I have put the relevant information into the Bugzilla Guide now, instructing to disallow access to $BUGZILLA_HOME/localconfig and $BUGZILLA_HOME/data/ except for data/comments. I should be checking the change in tonight or tomorrow morning. I mention that the .htaccess files are *not* effective for anything other than Apache or NCSA; I am unsure of if iPlanet honors .htaccess controls. I have placed the following .htaccess files in these locations in my local cvs repository (I would appreciate your buyoff in a comment before I check them in, I plan on checking in late tonight or early tomorrow morning) $BUGZILLA_HOME/data/ --begin .htaccess <Files comments> allow from all </Files> deny from all --end .htaccess $BUGZILLA_HOME/shadow/ --begin .htaccess deny from all --end .htaccess $BUGZILLA_HOME/ <Files localconfig> deny from all </Files> allow from all I am marking these bugs as *resolved fixed* since the fix remains simply to check into CVS. If you disagree with this assessment, feel free to reopen the bug : )
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 27•24 years ago
|
||
r=dave on the .htaccess files
Assignee | ||
Comment 28•24 years ago
|
||
Allow me to caveat: *I* will be checking this in tonight : )
Comment 29•23 years ago
|
||
V. This is documented adequately in the README and Bugzilla Guide.
Status: RESOLVED → VERIFIED
Comment 30•23 years ago
|
||
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•