Closed Bug 76154 Opened 24 years ago Closed 24 years ago

.htaccess files

Categories

(Bugzilla :: Bugzilla-General, defect, P5)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.14

People

(Reporter: CodeMachine, Assigned: justdave)

Details

(Whiteboard: code)

Attachments

(2 files)

Patch
3.23 KB, patch
Details | Diff | Splinter Review
bugfix patch
1.09 KB, patch
Details | Diff | Splinter Review
For Bugzilla 2.12 we documented the files that admins have to deny access to. For 2.14 we should ship .htaccess files for web servers that support them (just Apache?)
Target Milestone: --- → Bugzilla 2.14
This should probably be one of the last bugs we complete before shipping 2.14. There's other bugs pending which will change the definitions of what needs to be blocked. (shadow/ is gone, data/comments no longer needs to be accessible by the webserver, etc)
Based on Dave's comment, marking P5 so it drops to the bottom of my list ;)
Priority: -- → P5
I'll take care of this when we get to that point. I have a good set of working .htaccess files on my site that can be tweaked and incorporated.
Assignee: tara → justdave
Whiteboard: code
Since the data directory is not in cvs, we'd need to have checksetup.pl drop these in after data is created at installation time. Did I miss any directories? Does graphs need to be protected, or is that where the PNGs go for the charts? +++ .htaccess # don't allow people to retrieve non-cgi executable files or our private data <FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$> deny from all </FilesMatch> +++ data/.htaccess # nothing in this directory is retrievable unless overriden by an .htaccess # in a subdirectory deny from all +++ data/webdot/.htaccess # Allow access to nothing in this directory except for .dot files # and don't allow access to those to anyone except research.att.com # if research.att.com ever changed their IP, or if you use a different # webdot server, you'll need to edit this <FilesMatch ^[0-9]+\.dot$> Allow from 192.20.225.10 Deny from all </FilesMatch> # And no directory listings, either. Deny from all
Attached patch PatchSplinter Review
The attached patch adds a variable (default on) to localconfig to determine if you want the .htaccess files created. If you do, and they don't already exist, checksetup.pl will create them. If they already exist, it won't touch them (in case you personalize them on your site).
Keywords: patch, review
r= jake in irc checked in
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
.htaccess files, if they exist, don't get their group set to the webserver group, because glob(*) ignores dotfiles. Also, cvs actions are flagging .htaccess as an unknown file, so need to add it to .cvsignore.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch bugfix patchSplinter Review
Looks good to me... r=jake
checked in.
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: