Status

()

Bugzilla
Bugzilla-General
P5
normal
RESOLVED FIXED
17 years ago
5 years ago

People

(Reporter: CodeMachine, Assigned: justdave)

Tracking

unspecified
Bugzilla 2.14

Details

(Whiteboard: code)

Attachments

(2 attachments)

(Reporter)

Description

17 years ago
For Bugzilla 2.12 we documented the files that admins have to deny access to. 
For 2.14 we should ship .htaccess files for web servers that support them (just
Apache?)
(Reporter)

Updated

17 years ago
Target Milestone: --- → Bugzilla 2.14
This should probably be one of the last bugs we complete before shipping 2.14.  
There's other bugs pending which will change the definitions of what needs to be 
blocked.  (shadow/ is gone, data/comments no longer needs to be accessible by the 
webserver, etc)

Comment 2

17 years ago
Based on Dave's comment, marking P5 so it drops to the bottom of my list ;)
Priority: -- → P5
I'll take care of this when we get to that point.  I have a good set of working 
.htaccess files on my site that can be tweaked and incorporated.
Assignee: tara → justdave
Whiteboard: code
Since the data directory is not in cvs, we'd need to have checksetup.pl drop 
these in after data is created at installation time.  Did I miss any directories?  
Does graphs need to be protected, or is that where the PNGs go for the charts?

+++ .htaccess
# don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$>
  deny from all
</FilesMatch>

+++ data/.htaccess
# nothing in this directory is retrievable unless overriden by an .htaccess
# in a subdirectory
deny from all

+++ data/webdot/.htaccess
# Allow access to nothing in this directory except for .dot files
# and don't allow access to those to anyone except research.att.com
# if research.att.com ever changed their IP, or if you use a different
# webdot server, you'll need to edit this
<FilesMatch ^[0-9]+\.dot$>
  Allow from 192.20.225.10
  Deny from all
</FilesMatch>

# And no directory listings, either.
Deny from all
Created attachment 42836 [details] [diff] [review]
Patch
The attached patch adds a variable (default on) to localconfig to determine if 
you want the .htaccess files created.  If you do, and they don't already exist, 
checksetup.pl will create them.  If they already exist, it won't touch them (in 
case you personalize them on your site).
Keywords: patch, review
r= jake in irc

checked in
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
.htaccess files, if they exist, don't get their group set to the webserver group, 
because glob(*) ignores dotfiles.
Also, cvs actions are flagging .htaccess as an unknown file, so need to add it to 
.cvsignore.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Created attachment 43189 [details] [diff] [review]
bugfix patch

Comment 10

17 years ago
Looks good to me...

r=jake
checked in.
Status: REOPENED → RESOLVED
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.