Closed Bug 319241 Opened 19 years ago Closed 19 years ago

Bugzilla.pm is freely accessible from the web

Categories

(Bugzilla :: Installation & Upgrading, defect)

Product:
Bugzilla
Component:
Installation & Upgrading
Version:
2.20
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.20

People

(Reporter: LpSolit, Assigned: LpSolit)

References

(
URL
)

Details

Attachments

(1 file, 1 obsolete file)

patch, v1.1
1.02 KB, patch
myk
: review+
Details | Diff | Splinter Review 
Bugzilla/*.pm files are protected. I see no reason to let ./Bugzilla.pm accessible from the web. You don't know the kind of customisations some admins may do, and being able to access source code increases the risk of attacks (especially if the file is incorrectly modified).
Attached patch patch, v1 (obsolete) — Splinter Review 

        Attachment #205095 -
        Flags: review?(myk)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch, v1.1Splinter Review
      

    


  
Update existing .htaccess as well.

        Attachment #205095 -
        Attachment is obsolete: true

        Attachment #205099 -
        Flags: review?(myk)

        Attachment #205095 -
        Flags: review?(myk)

    
    

    
  
Comment on attachment 205099 [details] [diff] [review]
patch, v1.1

This works OK, but it's quite brittle.  For example, my .htaccess file contained the following:

# don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pl|.*localconfig.*|runtests.sh)$>
  deny from all
</FilesMatch>
<FilesMatch ^(localconfig.js|localconfig.rdf)$>
  allow from all
</FilesMatch>

Had the two rules been reversed, .*\.pm would have been added to the rule that allows access from everywhere. r=myk, but we should do something better, like surrounding the content we generate so we only ever update that content and not something an installation has manually added.  We might also add a configuration option for whether or not to write this file (so installations that want different rules can have them).

        Attachment #205099 -
        Flags: review?(myk) → review+
Flags: approval+

    
  
Status: NEW → ASSIGNED
Flags: approval2.20?

    
    

    
  
(In reply to comment #3)
> We might also add a
> configuration option for whether or not to write this file (so installations
> that want different rules can have them).

We already do this.  There's a variable for it in the localconfig file.

Flags: approval2.20? → approval2.20+

    
    

    
  
tip:

Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.456; previous revision: 1.455
done

2.20:

Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v  <--  checksetup.pl
new revision: 1.412.2.14; previous revision: 1.412.2.13
done

Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: