Closed
Bug 367071
Opened 18 years ago
Closed 18 years ago
[SECURITY] mod_perl <Directory> block doesn't let .htaccess work, and doesn't include the blacklists for files that shouldn't be downloaded
Categories
(Bugzilla :: Installation & Upgrading, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.0
People
(Reporter: justdave, Assigned: justdave)
References
Details
(Whiteboard: [doesn't affect 2.22.x or lower][ready for 2.23.4])
Attachments
(1 file)
|
501 bytes,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
I can retrieve localconfig from the web, 'nuff said.
Flags: blocking3.0+
|
Assignee | |
Comment 1•18 years ago
|
||
I added "AllowOverride All" to the <Directory> block in mod_perl.pl on b.m.o to let the existing .htaccess file work. This may be more permissions that it needs and the only reason I'm not providing a patch right now, since we need to figure out what the appropriate permissions are here.
|
||
Comment 2•18 years ago
|
||
Wouldn't "AllowOverride Limit" work? That's what we have in /etc/httpd/conf/httpd.conf.
|
|
Assignee | |
Comment 3•18 years ago
|
||
in the docs you mean? Guess it would. We could also block all these files directly in the <Directory> block that mod_perl.pl generates instead of depending on .htaccess at all.
|
|
Assignee | |
Comment 4•18 years ago
|
||
Here's the Limit version, basically what I did on b.m.o except change All to Limit.
|
|
||
Comment 5•18 years ago
|
||
(In reply to comment #3) > in the docs you mean? Guess it would. http://www.bugzilla.org/docs/tip/html/configuration.html#http Docs say so, and that's also what I have in my own httpd.conf.
|
||
Comment 6•18 years ago
|
||
Comment on attachment 251585 [details] [diff] [review] Use Limit Yeah, this is correct. I'm surprised that I missed that. It was working on landfill because the AllowOverride is set on /var/www/html/.
Attachment #251585 -
Flags: review? → review+
|
|
||
Comment 7•18 years ago
|
||
We should leave this in the approval queue until the release, since it's a real security bug.
Flags: approval?
|
|
||
Comment 8•18 years ago
|
||
Not only it's a security bug, but it's a pretty critical one as you can steal the login and password to access the DB. We should release asap.
|
|
||
Updated•18 years ago
|
Summary: mod_perl <Directory> block doesn't let .htaccess work, and doesn't include the blacklists for files that shouldn't be downloaded → [SECURITY] mod_perl <Directory> block doesn't let .htaccess work, and doesn't include the blacklists for files that shouldn't be downloaded
Whiteboard: [doesn't affect 2.22.x or lower][ready for 3.0rc1]
|
||
Comment 9•18 years ago
|
||
Sounds like a good reason to make sure people run testserver.pl when they upgrade.
|
|
Assignee | |
Updated•18 years ago
|
Whiteboard: [doesn't affect 2.22.x or lower][ready for 3.0rc1] → [doesn't affect 2.22.x or lower][ready for 2.23.4]
|
|
Assignee | |
Comment 10•18 years ago
|
||
Checking in mod_perl.pl; /cvsroot/mozilla/webtools/bugzilla/mod_perl.pl,v <-- mod_perl.pl new revision: 1.4; previous revision: 1.3 done
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Updated•18 years ago
|
Flags: approval? → approval+
You need to log in
before you can comment on or make changes to this bug.
Description
•