Closed Bug 1019290 Opened 11 years ago Closed 11 years ago

Add instructions to remove query strings from Apache log

Categories

(Bugzilla :: Documentation, enhancement)

Product:
Bugzilla
Component:
Documentation
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 5.0

People

(Reporter: mail, Assigned: gautamvishant)

Details

Attachments

(1 file, 4 obsolete files)

installation.rst.patch
1.21 KB, patch
mail
: review+
Details | Diff | Splinter Review
With REST calls being part of Bugzilla 5.0, I think it is important to make a note in the installations guide (and release notes?) to configure Apache not to write the query string in its log files. If this is not done, then login, passwords and tokens are all up for grabs with get calls e.g. https://bugzilla.site/rest/bug/1000?Bugzilla_login=foo@bar.com&Bugzilla_password=baz http://bugzilla.site/rest/bug/1000?Bugzilla_token=213-XC5eghER While some big sites (like bmo) have tight access to their log files, a lot of smaller companies will have many staff members to have access to the machine that hosts their Bugzilla installation, or even worse, are on shared hosting.
Whiteboard: [good first bug]
Attached patch apache2.patch (obsolete) — Splinter Review
Comment on attachment 8448849 [details] [diff] [review] apache2.patch The only change required it to the config file is to the ErrorLog lines. There is no need to add things like Include conf.d/ and sites-enabled/ (both which are usually done in the parent apache2.conf or httpd.conf file). Admin note: When submitting a patch, please set the review flag and make one of the suggested reviewers a requestee.
Attachment #8448849 - Flags: review-
Attached patch apache2.patch (obsolete) — Splinter Review
Attachment #8449454 - Flags: review?(sgreen)
Comment on attachment 8449454 [details] [diff] [review] apache2.patch Review of attachment 8449454 [details] [diff] [review]: ----------------------------------------------------------------- Two points: 1) Instead of removing \"%r\", it should be replaced with \"%m %U\", which gives the same information, just without the query params. 2) This patch does not seem to match any existing file in the upstream Bugzilla installation. The suggestion in comment #0 is to update the documentation, which lives in docs/en/rst/installation.rst
Attachment #8449454 - Flags: review?(sgreen) → review-
(In reply to Simon Green from comment #5) > Comment on attachment 8449454 [details] [diff] [review] > apache2.patch > > Review of attachment 8449454 [details] [diff] [review]: > ----------------------------------------------------------------- > > Two points: > 1) Instead of removing \"%r\", it should be replaced with \"%m %U\", which > gives the same information, just without the query params. > > 2) This patch does not seem to match any existing file in the upstream > Bugzilla installation. The suggestion in comment #0 is to update the > documentation, which lives in docs/en/rst/installation.rst I have bugzilla 4.4.4 installed on ubuntu 14.04 but i was unable to find 'docs/en/rst/installation.rst';
(In reply to Vishant Gautam from comment #6) > I have bugzilla 4.4.4 installed on ubuntu 14.04 but i was unable to find > 'docs/en/rst/installation.rst'; The Bugzilla project moved from DocType to RST for documentation between 4.4 and the current master branch (which will become Bugzilla 5.0). Usually, patches need to be against the current master branch to be considered for review. The exception to this rule is fixing bugs in specific previous versions. -- simon
Attached patch installation.rst.patch (obsolete) — Splinter Review
Attachment #8454979 - Flags: review?(sgreen)
Comment on attachment 8454979 [details] [diff] [review] installation.rst.patch +#. Replace \"%r\" with \"%m %U\". Extra spaces betweem m and %, and a few trailing whitespaces, can be fixed on commit.
Attachment #8454979 - Flags: review?(sgreen) → review+
Flags: approval?
Attachment #8448849 - Attachment is obsolete: true
Attachment #8449454 - Attachment is obsolete: true
Comment on attachment 8454979 [details] [diff] [review] installation.rst.patch Review of attachment 8454979 [details] [diff] [review]: ----------------------------------------------------------------- i'd like to see a new patch prior to approving this. ::: installation.rst @@ +751,5 @@ > +Apache *httpd * log files with bugzilla > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +Some configuration is required to prevent Apache from logging > +query strings this change isn't _required_ for bugzilla to work. it needs to be phrased as a recommendation, and needs to state why we recommend this. for example: "When some external systems interact with Bugzilla via its web services (REST/XMLRPC/JSONRPC) they include the user's credentials as part of the URL (query-string). For security reasons we recommend configuring Apache to not include the query-string in its log files to avoid storing passwords in clear text on the server." it also needs to end with a period. @@ +754,5 @@ > +Some configuration is required to prevent Apache from logging > +query strings > + > +#. Load :file:`httpd.conf` or :file:`apache2.conf` in your editor. > + In most of the distros this file is found in :folder:`/etc/httpd/httpd.conf` "distros" should say "Linux distributions". "distros" is slang and should be avoid in documentation.
Attachment #8454979 - Flags: review-
Assignee: documentation → gautamvishant
Flags: approval?
Attached patch installation.rst.patch (obsolete) — Splinter Review
Attachment #8455150 - Flags: review?(glob)
Attachment #8455150 - Flags: review?(glob) → review?(sgreen)
Attachment #8454979 - Attachment is obsolete: true
Comment on attachment 8455150 [details] [diff] [review] installation.rst.patch Review of attachment 8455150 [details] [diff] [review]: ----------------------------------------------------------------- The typos that need to be fixed. It would also be good if you can remove the trailing whitespace, although this can be fixed on commit. ::: installation.rst @@ +750,5 @@ > > +Apache *httpd * log files with bugzilla > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > + > +For security reasons some configuration is recommended to prevent Apache from logging replace "some configuration" with "it" @@ +754,5 @@ > +For security reasons some configuration is recommended to prevent Apache from logging > +query strings. > + > +For example: > +When exterenal systems interact with Bugzilla via it webservices (REST/XMLRPC/JSONRPC) remove "it" @@ +760,5 @@ > +reasons we recommend configuring Apache to not include the query-string in its log > +files to avoid storing passwords in clear text on the server. > + > +#. Load :file:`httpd.conf` or :file:`apache2.conf` in your editor. > + In most of the Linux distributions this file is found in :folder:`/etc/httpd/httpd.conf` /etc/httpd/conf/httpd.conf
Attachment #8455150 - Flags: review?(sgreen) → review-
Attachment #8464769 - Flags: review?(sgreen)
Attachment #8455150 - Attachment is obsolete: true
Attachment #8464769 - Flags: review?(sgreen) → review+
Flags: approval?
> +When exterenal systems interact with Bugzilla via webservices (REST/XMLRPC/JSONRPC) typo: "external" sgreen: please fix this and remove all trailing whitespace when committing.
Flags: approval? → approval+
Target Milestone: --- → Bugzilla 5.0
Thanks for the patch. To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 7e1bdaa..b672916 master -> master
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Severity: normal → enhancement
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [good first bug]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: