Open Bug 186601 Opened 19 years ago Updated 10 years ago

Remove localconfig and data/ from the Bugzilla webroot

Categories

(Bugzilla :: Installation & Upgrading, enhancement)

enhancement
Not set
normal

Tracking

()

People

(Reporter: sergey, Unassigned)

References

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021209
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021209

My message to the newsgroup of 10/07/02:

For the purpose of having multuple Bugzilla repositories on the same system
reusing same source code, I adjusted Bugzilla to use localconfig and data/
information located one level *above* Bugzila home, like this:

/projectA/config/bugzilla/localconfig
/projectA/config/bugzilla/data/...
/projectA/config/bugzilla/cgi -> symlink to /usr/share/bugzilla where
                                  the actual code is
/projectB/config/bugzilla/localconfig
/projectB/config/bugzilla/data/...
/projectB/config/bugzilla/cgi -> symlink to /usr/share/bugzilla

This way, globals.pl located localconfig and data/ and sets several
global variables to point at relevant files/directories. All other
Bugzilla modules are reusing these variables instead of having them
hard-coded. Things like database info and data/params are then different
for each repository, while source code is the same.

I have also parameterized all paths that I could find.

Reproducible: Always

Steps to Reproduce:




I'm attaching the patch which is NOT ready for inclusion into Bugzilla because
it breaks many rules and all previous installations. But in order to move
forward I need feedback as to whether Bugzilla needs this change.
This is a complete diff against Bugzilla tip of 2002-12-19 (2.17.2 pretty much)
* CGI.pl
  Escape quote to make EMACS happy
  ReplaceScriptName is used to take current script's full (physical) path, and
    change the basename to something else, in this case `processmail' script
* attachment.cgi
  ReplaceScriptName for processmail script
* checksetup.pl
  Use all parameterized paths
  `which` doesn't work when checksetup is run using full path (explained later),
    so it's better to check defaults first
  "DROP TABLE" replaced with "delete all data and notify that the table must be
    dropped", because mysql account shouldn't have "drop table" permissions
* collectstats.pl, defparams.cgi, duplicates.cgi, editcomponents.cgi
* editkeywords.cgi, editmilestones.cgi, editproducts.cgi, editversions.cgi
* processmail
  Parameterized paths
* doeditparams.cgi, importxml.pl, move.pl, post_bug.cgi, process_bug.cgi
* contrib/bug_email.pl, contrib/bugzilla_email_append.pl
  Parameterized paths
  ReplaceScriptName for syncshadowdb or processmail scripts
* globals.pl
  A small "mis-diff ;-) because earlier version of the patch was implemented in
    this file
  Wrong diff for contenttypes (sorry about this mess)
  Parameterized paths mainly
* quicksearch.html, quicksearchhack.html, template/en/default/sidebar.xul.tmpl
  inclusion of localconfig.js from parent dir ../ which probably doesn't work
* reports.cgi
  Removed a parameter $dir "destination directory" because it's always the same
  $graph_dir parameterized
  Parameterized paths
* showdependencygraph.cgi
  Parameterized paths
  Needs another small module which would simply load an image generated in
    "now hidden" data/ folder and send it straight through
  Doesn't work "as is" right now
* Bugzilla/Config.pm
  The meat of changes: sets all the path-parameters
  Calculation of a directory where `localconfig' is, is complicated by the fact
    that Perl is too eager to dereference all symlinks
  In other languages (I also dealt with similar change to other web-based
    products) I was able to just "get parent folder" and it wasn't dereferenced
  $contenttypes is fixed now but it used to be broken in Bugzilla 2.17, so I
    made the correction myself and didn't change it after Bugzilla was fixed
  Error messages have sometimes been changed to a more "amorphous" text because
    they might appear in the actual output to a malicious user who doesn't have
    to know where the absolute file locations
Blocks: 44659
Component: Bugzilla-General → Installation & Upgrading
OS: Linux → All
Hardware: PC → All
Target Milestone: --- → Bugzilla 2.18
errr...  "Reassign to default"  :)  (knew I was forgetting something)
Assignee: justdave → zach
Comment on attachment 110035 [details] [diff] [review]
bugzilla-paths.patch

per reporter, this is not ready for inclusion in Bugzilla, so marking as such. 
This is severely bitrotted by now anyway.  The data directory can already be
moved by editing one line in Bugzilla/Config.pm now (as can the template
directory and the location of the localconfig file).

There's still a fair bit to be done though.  (We need this to get Debian to
stop patching us for their package ;)
Attachment #110035 - Flags: review-
enhancements without current patches are being pushed to 2.20
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
removing localconfig and data from webroot is good from a secuirity point of
view when you're using a web server that doesn't honour the .htaccess rules (eg
iis, some apache configs).

it took me less than a minute of googling to locate a bugzilla install with a
world readable localconfig and data/params (running on apache, with
$create_htaccess = 1).

localconfig and data can already be moved.  The main remaining problem is
getting the "displayed by webserver" stuff (html/js/css/gif/etc) separated from
the executable (cgi) stuff.  (Oh, and getting an installer or something to let
you choose where they all go at install time, instead of having to move the
files yourself and changing the line in Config.pm to tell where they are).
> localconfig and data can already be moved

yup, however i feel they should be moved by default.

> getting the "displayed by webserver" stuff (html/js/css/gif/etc)
> separated from the executable (cgi) stuff

i don't think that cgi's should be separated from static pages, i just expect
files that are not directly accessable externally (localconfig, data/,
templates, etc) be relocated outside of the wwwroot.

main problem is implementing this without breaking existing installs, however i
suspect bug 44659 covers this.
Bugzilla 2.20 feature set is now frozen as of 15 Sept 2004.  Anything flagged
enhancement that hasn't already landed is being pushed out.  If this bug is
otherwise ready to land, we'll handle it on a case-by-case basis, please set the
blocking2.20 flag to '?' if you think it qualifies.
Target Milestone: Bugzilla 2.20 → Bugzilla 2.22
Assignee: zach → installation
QA Contact: mattyt-bugzilla → default-qa
Target Milestone: Bugzilla 2.22 → ---
Summary: Remove localconfig and data/ from the Bugzilla webroot; parameterize paths → Remove localconfig and data/ from the Bugzilla webroot
You need to log in before you can comment on or make changes to this bug.