534798 - [SECURITY] old-params.txt file should be under the datadir so it is protected from the web by .htaccess

Status: RESOLVED DUPLICATE of bug 434801

(Bugzilla :: Installation & Upgrading, defect)

Description

[Reed Loden [:reed]]

Attachment: patch - v1

I noticed an "old-params.txt" file in landfill's bugzilla-tip directory, which I had never seen before. It seems to contain the contents of removed parameters, which seems bad. What if there's a parameter that is removed that contains private/confidential information? It could easily be viewed via the web by anybody. The code in Bugzilla/Config.pm sets the file's permissions to 0600, but it seems to get changed to 0640 somewhere along the line. In any case, the file should be moved to the datadir where the .htaccess will protect it from being read by just anybody.

Patch attached that I think will do jus that, but it's untested.

Comment 1

[Reed Loden [:reed]]

Attachment: patch - v1.1 (tip)

Also call ChmodDataFile() to put the file back at 0600.

Comment 2

[Reed Loden [:reed]]

Sigh, this is a dupe of a public bug. Really not sure why bug 434801 wasn't marked as security, as LpSolit clearly points out there are security implications of what is being done in bug 434801, comment #0.

Comment 3

[Reed Loden [:reed]]

Comment on attachment 417616 [details] [diff] [review]
patch - v1.1 (tip)

Moving to other bug.