Closed Bug 534798 Opened 15 years ago Closed 15 years ago

[SECURITY] old-params.txt file should be under the datadir so it is protected from the web by .htaccess

Categories

(Bugzilla :: Installation & Upgrading, defect)

Product:
Bugzilla
Component:
Installation & Upgrading
Version:
3.5.2
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 434801

People

(Reporter: reed, Assigned: reed)

References

(
URL
)

Details

Attachments

(2 obsolete files)

Attached patch patch - v1 (obsolete) — Splinter Review
I noticed an "old-params.txt" file in landfill's bugzilla-tip directory, which I had never seen before. It seems to contain the contents of removed parameters, which seems bad. What if there's a parameter that is removed that contains private/confidential information? It could easily be viewed via the web by anybody. The code in Bugzilla/Config.pm sets the file's permissions to 0600, but it seems to get changed to 0640 somewhere along the line. In any case, the file should be moved to the datadir where the .htaccess will protect it from being read by just anybody. Patch attached that I think will do jus that, but it's untested.
Attachment #417615 - Flags: review?(mkanat)
Attached patch patch - v1.1 (tip) (obsolete) — Splinter Review
Also call ChmodDataFile() to put the file back at 0600.
Attachment #417615 - Attachment is obsolete: true
Attachment #417616 - Flags: review?(mkanat)
Attachment #417615 - Flags: review?(mkanat)
Sigh, this is a dupe of a public bug. Really not sure why bug 434801 wasn't marked as security, as LpSolit clearly points out there are security implications of what is being done in bug 434801, comment #0.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment on attachment 417616 [details] [diff] [review] patch - v1.1 (tip) Moving to other bug.
Attachment #417616 - Attachment is obsolete: true
Attachment #417616 - Flags: review?(mkanat)
Severity: major → normal
Target Milestone: Bugzilla 3.0 → ---
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: