Access control in discussions subdirectories restricted to some methods

RESOLVED FIXED in 3.4.6

Status

addons.mozilla.org Graveyard
Public Pages
RESOLVED FIXED
11 years ago
2 years ago

People

(Reporter: Wladimir Palant (for Adblock Plus info Cc bugzilla@adblockplus.org), Assigned: lorchard)

Tracking

Details

Attachments

(1 attachment, 1 obsolete attachment)

/app/webroot/discussions/ has several subdirectories with .htaccess files like this one:

<Limit GET POST PUT>
Order Allow,Deny
Deny from All
</Limit>

Why are only GET, POST and PUT denied? Am I still allowed to access the directory using the HEAD method? From http://httpd.apache.org/docs/2.0/mod/core.html#limit:

"In the general case, access control directives should not be placed within a <Limit> section."

Note that I still got 403 Forbidden when trying to access some file using the HEAD method but I guess it was the cache server translating HEAD into GET.
Severity: major → normal

Updated

10 years ago
Assignee: nobody → laura
Target Milestone: --- → 3.4.5

Comment 1

10 years ago
Pushing out all these discussions bugs to 3.4.6
Target Milestone: 3.4.5 → 3.4.6
(Assignee)

Updated

10 years ago
Assignee: laura → lorchard
(Assignee)

Comment 2

10 years ago
Created attachment 329102 [details] [diff] [review]
Revised .htaccess files denying access to *.php rather than by method

Revised the .htaccess files and added one for themes/ (for bug 374045) which deny access to *.php rather than deny by method, since that seems to have been the original purpose for the out-of-box Vanilla versions.
(Assignee)

Updated

10 years ago
Attachment #329102 - Flags: review?(laura)

Comment 3

10 years ago
Comment on attachment 329102 [details] [diff] [review]
Revised .htaccess files denying access to *.php rather than by method

In the conf dir, there's a readme which will be exposed by these.  Also, what if somebody adds a .inc etc file?  Would it be better to just have an unrestricted <Limit> ?
I think just dropping the <Limit> tag will be better - why should it be possible to access these directories from the web?
(Assignee)

Comment 5

10 years ago
Created attachment 330273 [details] [diff] [review]
Revised .htaccess files denying all access, except for theme directories with CSS / images

Okay, new patch.  Dropping all limit tags to deny all web access to the Vanilla lib directories, adding another couple of .htaccess files to re-allow access to CSS and images per bug 374045
Attachment #329102 - Attachment is obsolete: true
Attachment #330273 - Flags: review?(laura)
Attachment #329102 - Flags: review?(laura)
(Assignee)

Updated

10 years ago
Attachment #330273 - Flags: review?(fwenzel)

Comment 6

10 years ago
When you introduce a rule for /themes, won't that apply to all subdirectories as well? I think so, so there's no reason to repeat the same ones in subdirectories again.

Also, if you're solving bug 374045 in here, will you dupe it to this?

Updated

10 years ago
Attachment #330273 - Flags: review?(laura)
Attachment #330273 - Flags: review?(fwenzel)
Attachment #330273 - Flags: review-
(Assignee)

Comment 7

10 years ago
The rule for /themes is to deny all, which is overridden to allow all in the individual theme directories with CSS and image files.  Is that what you're seeing...?  If so, it's not a repeat.  

I'll also dupe bug 374045 to this one - this one is more inclusive.
(Assignee)

Updated

10 years ago
Duplicate of this bug: 374045

Comment 9

10 years ago
Comment on attachment 330273 [details] [diff] [review]
Revised .htaccess files denying all access, except for theme directories with CSS / images

See, had I read the patch right, I'd have noticed that. ;)

Sorry. Yes, this makes so much more sense than what I imagined before.
Attachment #330273 - Flags: review- → review+
(Assignee)

Comment 10

10 years ago
Fixed in r17169
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.