User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050822 Firefox/1.0.6 (Debian package 1.0.6-3) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050822 Firefox/1.0.6 (Debian package 1.0.6-3) The .htaccess (in the bugzilla root directory) file that came along with the default installation of Bugzilla is not blocking access to localconfig. I changed it into (separating the clauses '.pl' and localconfig) and it worked: --- # don't allow people to retrieve non-cgi executable files or our private data <FilesMatch ^(.*\.pl)$> deny from all </FilesMatch> <FilesMatch ^(localconfig|runtests.sh)$> deny from all </FilesMatch> <FilesMatch ^(localconfig.js|localconfig.rdf)$> allow from all </FilesMatch> --- Reproducible: Always Steps to Reproduce: 1.Install Bugzilla and use the default .htaccess file 2. 3. Actual Results: I could access localconfig through the browser without being asked for any password whatsoever. Expected Results: Block the access to the file, returning an Error 403 Forbidden.
That .htaccess file does not look like the one we create. Exactly what version of bugzilla are you using and where did you get it?
I'm using 2.18.3; about the htaccess file I modified it myself because it wasn't working (since localconfig was wide open).
Felipe, we need more information about your configuration. I cannot reproduce neither on the 2.18 branch nor on the tip, using Linux, Perl 5.8.6 and Apache 2.0.53. And running testserver.pl confirms this: TEST-OK Webserver is preventing fetch of http://localhost/bugzilla218/localconfig.
I pulled 2.18.3 and tried it. No such problem. Felipe, Please move your .htaccess file to .htaccess.felipe and run checksetup and see what .htaccess file it generates (and attach it here). Did you get 2.18.3 from our CVS or did you get a tarfile from someone with a .htaccess file in it?
Well maybe i got confused after so much edits on the .htaccess file then. I got it from bugzillas's site (not CVS) and since it was not working because of another problem ( https://bugzilla.mozilla.org/show_bug.cgi?id=299468 ) then I started trying every possibility. Sorry for the inconvenience.
In fact, i moved out my edited .htaccess file and run checksetup.pl and it is still working. It is not a bug after all, I got it wrong. Sorry there guys, and thanks for the attention.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID
removing the security flag per comment 6.
verf. This works for me too. It's possible that you had Apache configured to ignore .htaccess files, which obviously would produce this result. In any case, I'm glad it works.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.