.htaccess file with wrong regexp by default

VERIFIED INVALID

Status

()

Bugzilla
Installation & Upgrading
--
trivial
VERIFIED INVALID
13 years ago
12 years ago

People

(Reporter: Felipe Brant Scarel, Unassigned)

Tracking

Details

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050822 Firefox/1.0.6 (Debian package 1.0.6-3)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050822 Firefox/1.0.6 (Debian package 1.0.6-3)

The .htaccess (in the bugzilla root directory) file that came along with the
default installation of Bugzilla is not blocking access to localconfig. I
changed it into (separating the clauses '.pl' and localconfig) and it worked:

---

# don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pl)$>
  deny from all
</FilesMatch>
<FilesMatch ^(localconfig|runtests.sh)$>
  deny from all
</FilesMatch>
<FilesMatch ^(localconfig.js|localconfig.rdf)$>
  allow from all
</FilesMatch>

---

Reproducible: Always

Steps to Reproduce:
1.Install Bugzilla and use the default .htaccess file
2.
3.

Actual Results:  
I could access localconfig through the browser without being asked for any
password whatsoever.

Expected Results:  
Block the access to the file, returning an Error 403 Forbidden.

Comment 1

13 years ago
That .htaccess file does not look like the one we create.

Exactly what version of bugzilla are you using and where did you get it?
(Reporter)

Comment 2

13 years ago
I'm using 2.18.3; about the htaccess file I modified it myself because it wasn't
working (since localconfig was wide open).

Comment 3

13 years ago
Felipe, we need more information about your configuration. I cannot reproduce
neither on the 2.18 branch nor on the tip, using Linux, Perl 5.8.6 and Apache
2.0.53.

And running testserver.pl confirms this:

TEST-OK Webserver is preventing fetch of http://localhost/bugzilla218/localconfig.

Comment 4

13 years ago
I pulled 2.18.3 and tried it.
No such problem.

Felipe,
   Please move your .htaccess file to .htaccess.felipe and run checksetup and
see what .htaccess file it generates (and attach it here).  

   Did you get 2.18.3 from our CVS or did you get a tarfile from someone with a
.htaccess file in it?
(Reporter)

Comment 5

13 years ago
Well maybe i got confused after so much edits on the .htaccess file then. I got
it from bugzillas's site (not CVS) and since it was not working because of
another problem ( https://bugzilla.mozilla.org/show_bug.cgi?id=299468 ) then I
started trying every possibility.

Sorry for the inconvenience. 
(Reporter)

Comment 6

13 years ago
In fact, i moved out my edited .htaccess file and run checksetup.pl and it is
still working. It is not a bug after all, I got it wrong. Sorry there guys, and
thanks for the attention.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → INVALID

Comment 7

13 years ago
removing the security flag per comment 6.
Group: webtools-security

Comment 8

13 years ago
verf. This works for me too. It's possible that you had Apache configured to
ignore .htaccess files, which obviously would produce this result. In any case,
I'm glad it works. 
Status: RESOLVED → VERIFIED
Severity: major → trivial
You need to log in before you can comment on or make changes to this bug.