Closed
Bug 445804
Opened 16 years ago
Closed 13 years ago
Suggested crontab configuration opens security hole
Categories
(Bugzilla :: Documentation, defect)
Bugzilla
Documentation
Tracking
()
RESOLVED
FIXED
Bugzilla 3.4
People
(Reporter: wes, Assigned: selsky)
References
()
Details
Attachments
(1 file)
1.21 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
Section 2.3.1, Bug Graphs in extraconfig.html suggests the following crontab entry: cd <your-bugzilla-directory> ; ./collectstats.pl This opens up a minor security hole, where an arbitrary executable named collectstats.pl could be run from another location (potentially the directory crond was manually launched from) when "your-bugzilla-directory" is not findable for some condition. (i.e. bugzilla de-install, NFS failure, permissions) The fix is trivial: cd <your-bugzilla-directory> && ./collectstats.pl This entry will only run collectstats.pl to run if chdir succeeds.
Comment 1•16 years ago
|
||
Well, that'a not a big deal. The one typing the command line is responsible to type the correct path. Not a security bug.
Severity: normal → minor
Sorry to comment on such an old bug report, but the following is important. Many old shells had special-case code such that if a cd failed, the shell would abort the entire script. At some point in time, somebody decided that this special case was a bad idea. Modern shells don't have this any more, so far as I can tell. But many old programming manuals still use this type of code, and many old-timers do this out of habit, because it used to work. Code examples should, therefore, use the && and not the semicolon, just to remind people that shells are not so fail-safe any more. I just tested this on SunOS 4.1.3_U1: # cat x.sh #! /bin/sh cd /NONEXISTENT ; echo reached here echo reached next line # ./x.sh ./x.sh: /NONEXISTENT: bad directory #
Assignee | ||
Comment 3•13 years ago
|
||
Assignee: documentation → selsky
Status: NEW → ASSIGNED
Attachment #564139 -
Flags: review?(documentation)
Updated•13 years ago
|
Attachment #564139 -
Flags: review?(documentation) → review+
Updated•13 years ago
|
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval3.4+
Flags: approval+
Target Milestone: --- → Bugzilla 3.4
Comment 4•13 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified docs/en/xml/installation.xml Committed revision 7976. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified docs/en/xml/installation.xml Committed revision 7942. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified docs/en/xml/installation.xml Committed revision 7652. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.6/ modified docs/en/xml/installation.xml Committed revision 7257. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/3.4/ modified docs/en/xml/installation.xml Committed revision 6811.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•