Last Comment Bug 186383 - Checksetup leaves editor backups of localconfig accessible
: Checksetup leaves editor backups of localconfig accessible
Status: RESOLVED FIXED
[fixed on trunk][fixed in 2.14.5][fix...
:
Product: Bugzilla
Classification: Server Software
Component: Installation & Upgrading (show other bugs)
: 2.17.1
: All All
: P1 blocker (vote)
: Bugzilla 2.18
Assigned To: Joel Peshkin
: default-qa
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-21 04:15 PST by Joel Peshkin
Modified: 2016-08-24 17:08 PDT (History)
11 users (show)
justdave: approval+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch for new sites (622 bytes, patch)
2002-12-21 04:28 PST, Joel Peshkin
no flags Details | Diff | Splinter Review
Patch including repair code (1.12 KB, patch)
2002-12-21 08:38 PST, Joel Peshkin
zach: review+
Details | Diff | Splinter Review
Same patch for 2_16 (1.15 KB, patch)
2002-12-21 08:55 PST, Joel Peshkin
zach: review+
Details | Diff | Splinter Review
Same patch for 2_14 (1.12 KB, patch)
2002-12-21 08:58 PST, Joel Peshkin
zach: review+
Details | Diff | Splinter Review
Further patch for TIP.. only remove the ~ (919 bytes, patch)
2002-12-21 21:46 PST, Joel Peshkin
no flags Details | Diff | Splinter Review
Further patch for 2.14 (930 bytes, patch)
2002-12-21 21:47 PST, Joel Peshkin
no flags Details | Diff | Splinter Review
Further patch for 2.14 (960 bytes, patch)
2002-12-21 21:49 PST, Joel Peshkin
no flags Details | Diff | Splinter Review
Replacement patch for TIP (1.33 KB, patch)
2002-12-22 07:29 PST, Joel Peshkin
mozpreed: review+
Details | Diff | Splinter Review
Replacement patch for 2_16 (1.36 KB, patch)
2002-12-22 07:50 PST, Joel Peshkin
burnus: review+
Details | Diff | Splinter Review
Replacement patch for 2_14 (1.33 KB, patch)
2002-12-22 07:55 PST, Joel Peshkin
burnus: review+
Details | Diff | Splinter Review

Description Joel Peshkin 2002-12-21 04:15:56 PST
Any user who uses vim will have files such as localconfig~ which are left
accessible.
Comment 1 Bradley Baetz (:bbaetz) 2002-12-21 04:25:55 PST
I just fixed this for bugzilla-stable on landfill...

We _so_ need to move all of this stuff out of the webtree, but I don't think we
have the infrastructure yet for that.
Comment 2 Joel Peshkin 2002-12-21 04:28:07 PST
Created attachment 109889 [details] [diff] [review]
Patch for new sites


This is a change to checksetup that causes it to write the right .htaccess file
in the first place

The problem, however, is that checksetup will only create the file if it
doesn't already exist.
Comment 3 Joel Peshkin 2002-12-21 04:34:41 PST
Actually, this should be done as a checksetup issue...
Comment 4 Joel Peshkin 2002-12-21 08:38:38 PST
Created attachment 109897 [details] [diff] [review]
Patch including repair code


OK, this patch changes the .htaccess file from 
localconfig|nextfile
to
localconfig.*|nextfile
Which will work for anyone who let checksetup build .htaccess for them and runs
checksetup again.
Comment 5 Joel Peshkin 2002-12-21 08:55:42 PST
Created attachment 109899 [details] [diff] [review]
Same patch for 2_16
Comment 6 Joel Peshkin 2002-12-21 08:58:04 PST
Created attachment 109900 [details] [diff] [review]
Same patch for 2_14
Comment 7 J. Paul Reed [:preed] 2002-12-21 10:55:36 PST
It's a good thing I'm such a slacker and we haven't released yet... ;-)

Are we gonna fold this fix into the security announcement for 2.14.x/2.16.x, and
the three releases due out this weekend (2.14.5 and 2.16.2 and 2.17.2)? Justdave?

Bueller?

Bueller?
Comment 8 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-12-21 11:15:45 PST
yes, we'll hold release for this.
Comment 9 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-12-21 11:29:50 PST
make it so
Comment 10 Joel Peshkin 2002-12-21 13:17:31 PST
On HEAD:
 Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.212; previous revision: 1.211
done 

On BUGZILLA-2_14_1-BRANCH:
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.99.2.2; previous revision: 1.99.2.1
done                                                      

On BUGZILLA-2_16-BRANCH :
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.149.2.12; previous revision: 1.149.2.11
done                

                                     
Comment 11 Joel Peshkin 2002-12-21 21:46:08 PST
Created attachment 109929 [details] [diff] [review]
Further patch for TIP.. only remove the ~
Comment 12 Joel Peshkin 2002-12-21 21:47:20 PST
Created attachment 109930 [details] [diff] [review]
Further patch for 2.14
Comment 13 Joel Peshkin 2002-12-21 21:48:10 PST
OOPS forgot about localconfig.js must be accessable
Comment 14 Joel Peshkin 2002-12-21 21:49:17 PST
Created attachment 109931 [details] [diff] [review]
Further patch for 2.14
Comment 15 Gervase Markham [:gerv] 2002-12-22 01:41:02 PST
Note that some editors use "~localconfig" or "#localconfig" or other schemes.

Surely it's the responsibility of an admin to configure their editor not to
leave backups of sensitive files lying around? :-)

Are we going to have to rename localconfig.js to make this work, or can we add
an exception for it?

Gerv
Comment 16 J. Paul Reed [:preed] 2002-12-22 03:20:14 PST
Ok... so are (yet again) holding the release for this?

There's a reason I put "released this weekend" in the status report... I wanted
to give us the flexibility for stuff like this. :-)
Comment 17 Joel Peshkin 2002-12-22 07:29:27 PST
Created attachment 109937 [details] [diff] [review]
Replacement patch for TIP

This patch requires backing out the old patch first

This uses .*localconfig.*
but then countermands that in a subsequent block with an allow from all
Comment 18 J. Paul Reed [:preed] 2002-12-22 07:32:24 PST
Ok... just talked to joel on IRC, and I guess the checked in patch isn't good
enough; when this bug is closed again, with the proper fix checked in on all the
branches, I'll go ahead and retag all the releases, which I have to do anyway
because we forgot relnotes for 2.14.5 and 2.16.2.
Comment 19 J. Paul Reed [:preed] 2002-12-22 07:40:58 PST
Comment on attachment 109937 [details] [diff] [review]
Replacement patch for TIP

Tested on landfill w/ 2.17.2; looks good.

r=preed
Comment 20 Joel Peshkin 2002-12-22 07:50:53 PST
Created attachment 109938 [details] [diff] [review]
Replacement patch for 2_16

Same for 2.16 
Back out prior patch first
Comment 21 Joel Peshkin 2002-12-22 07:55:31 PST
Created attachment 109939 [details] [diff] [review]
Replacement patch for 2_14

Same story, back out prior patch first
Comment 22 Tobias Burnus 2002-12-22 08:11:24 PST
Comment on attachment 109938 [details] [diff] [review]
Replacement patch for 2_16

TIP version works ok, TIP/2.16/2.14 look ok and apply ok.

r=burnus

(Hopefully not to many have already run ./checksetup from tip, otherwise
localconfig.js is unavailable. Maybe
+    if ($oldaccess =~ s/\|localconfig\|/\|.*localconfig.*\|/) {
should be changed to
+    if ($oldaccess =~ s/\|localconfig(\.\|)?\|/\|.*localconfig.*\|/) {
At least I have run already the wrong update.)
Comment 23 Dave Miller [:justdave] (justdave@bugzilla.org) 2002-12-22 13:36:16 PST
Comment on attachment 109937 [details] [diff] [review]
Replacement patch for TIP

Note that this patch will add the FilesMatch for allowing the .js and .rdf at
the end of the .htaccess file...  if a site is blocking IPs because of robots
or DOSes (like mothra), this will put the new check after those, thus allowing
the banned IPs to still access those files (because an "allow from all" was the
last match).  Probably doesn't matter a whole lot.  People who are maintaining
that type of thing can fix it themselves. :-)
Comment 24 Joel Peshkin 2002-12-22 17:58:19 PST
Fixed in all 3 branches (again)
Comment 25 Joel Peshkin 2003-01-02 13:46:44 PST
Public notice complete. Removing security flag.
Comment 26 alan johnson 2003-08-23 04:00:18 PDT
lack of responce
Comment 27 Dave Miller [:justdave] (justdave@bugzilla.org) 2003-08-23 19:34:07 PDT
lack of response to what?  it's already fixed.
Comment 30 Gulf Upload 2016-08-24 17:08:59 PDT Comment hidden (spam)

Note You need to log in before you can comment on or make changes to this bug.