Closed Bug 76154 Opened 23 years ago Closed 23 years ago

.htaccess files

Categories

(Bugzilla :: Bugzilla-General, defect, P5)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.14

People

(Reporter: CodeMachine, Assigned: justdave)

Details

(Whiteboard: code)

Attachments

(2 files)

Patch
3.23 KB, patch
Details | Diff | Splinter Review
bugfix patch
1.09 KB, patch
Details | Diff | Splinter Review 
For Bugzilla 2.12 we documented the files that admins have to deny access to. 
For 2.14 we should ship .htaccess files for web servers that support them (just
Apache?)
Target Milestone: --- → Bugzilla 2.14
This should probably be one of the last bugs we complete before shipping 2.14.  
There's other bugs pending which will change the definitions of what needs to be 
blocked.  (shadow/ is gone, data/comments no longer needs to be accessible by the 
webserver, etc)

Based on Dave's comment, marking P5 so it drops to the bottom of my list ;)
Priority: -- → P5
I'll take care of this when we get to that point.  I have a good set of working 
.htaccess files on my site that can be tweaked and incorporated.
Assignee: tara → justdave
Whiteboard: code
Since the data directory is not in cvs, we'd need to have checksetup.pl drop 
these in after data is created at installation time.  Did I miss any directories?  
Does graphs need to be protected, or is that where the PNGs go for the charts?

+++ .htaccess
# don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$>
  deny from all
</FilesMatch>

+++ data/.htaccess
# nothing in this directory is retrievable unless overriden by an .htaccess
# in a subdirectory
deny from all

+++ data/webdot/.htaccess
# Allow access to nothing in this directory except for .dot files
# and don't allow access to those to anyone except research.att.com
# if research.att.com ever changed their IP, or if you use a different
# webdot server, you'll need to edit this
<FilesMatch ^[0-9]+\.dot$>
  Allow from 192.20.225.10
  Deny from all
</FilesMatch>

# And no directory listings, either.
Deny from all
Attached patch PatchSplinter Review 

    
    

    
  
The attached patch adds a variable (default on) to localconfig to determine if 
you want the .htaccess files created.  If you do, and they don't already exist, 
checksetup.pl will create them.  If they already exist, it won't touch them (in 
case you personalize them on your site).

Keywords: patch, 
          
            review

    
    

    
  
r= jake in irc

checked in

Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED

    
    

    
  
.htaccess files, if they exist, don't get their group set to the webserver group, 
because glob(*) ignores dotfiles.
Also, cvs actions are flagging .htaccess as an unknown file, so need to add it to 
.cvsignore.

Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        bugfix patchSplinter Review
      

    


  

    
    

    
  
Looks good to me...

r=jake

    
    

    
  
checked in.

Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED

    
    

    
  
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: