Closed
Bug 319241
Opened 19 years ago
Closed 19 years ago
Bugzilla.pm is freely accessible from the web
Categories
(Bugzilla :: Installation & Upgrading, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.20
People
(Reporter: LpSolit, Assigned: LpSolit)
References
()
Details
Attachments
(1 file, 1 obsolete file)
1.02 KB,
patch
|
myk
:
review+
|
Details | Diff | Splinter Review |
Bugzilla/*.pm files are protected. I see no reason to let ./Bugzilla.pm accessible from the web. You don't know the kind of customisations some admins may do, and being able to access source code increases the risk of attacks (especially if the file is incorrectly modified).
Assignee | ||
Comment 1•19 years ago
|
||
Attachment #205095 -
Flags: review?(myk)
Assignee | ||
Comment 2•19 years ago
|
||
Update existing .htaccess as well.
Attachment #205095 -
Attachment is obsolete: true
Attachment #205099 -
Flags: review?(myk)
Attachment #205095 -
Flags: review?(myk)
Comment 3•19 years ago
|
||
Comment on attachment 205099 [details] [diff] [review]
patch, v1.1
This works OK, but it's quite brittle. For example, my .htaccess file contained the following:
# don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pl|.*localconfig.*|runtests.sh)$>
deny from all
</FilesMatch>
<FilesMatch ^(localconfig.js|localconfig.rdf)$>
allow from all
</FilesMatch>
Had the two rules been reversed, .*\.pm would have been added to the rule that allows access from everywhere. r=myk, but we should do something better, like surrounding the content we generate so we only ever update that content and not something an installation has manually added. We might also add a configuration option for whether or not to write this file (so installations that want different rules can have them).
Attachment #205099 -
Flags: review?(myk) → review+
Updated•19 years ago
|
Flags: approval+
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: approval2.20?
Comment 4•19 years ago
|
||
(In reply to comment #3)
> We might also add a
> configuration option for whether or not to write this file (so installations
> that want different rules can have them).
We already do this. There's a variable for it in the localconfig file.
Flags: approval2.20? → approval2.20+
Assignee | ||
Comment 5•19 years ago
|
||
tip:
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl
new revision: 1.456; previous revision: 1.455
done
2.20:
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl
new revision: 1.412.2.14; previous revision: 1.412.2.13
done
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•