For Bugzilla 2.12 we documented the files that admins have to deny access to. For 2.14 we should ship .htaccess files for web servers that support them (just Apache?)
This should probably be one of the last bugs we complete before shipping 2.14. There's other bugs pending which will change the definitions of what needs to be blocked. (shadow/ is gone, data/comments no longer needs to be accessible by the webserver, etc)
Based on Dave's comment, marking P5 so it drops to the bottom of my list ;)
I'll take care of this when we get to that point. I have a good set of working .htaccess files on my site that can be tweaked and incorporated.
Since the data directory is not in cvs, we'd need to have checksetup.pl drop these in after data is created at installation time. Did I miss any directories? Does graphs need to be protected, or is that where the PNGs go for the charts? +++ .htaccess # don't allow people to retrieve non-cgi executable files or our private data <FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$> deny from all </FilesMatch> +++ data/.htaccess # nothing in this directory is retrievable unless overriden by an .htaccess # in a subdirectory deny from all +++ data/webdot/.htaccess # Allow access to nothing in this directory except for .dot files # and don't allow access to those to anyone except research.att.com # if research.att.com ever changed their IP, or if you use a different # webdot server, you'll need to edit this <FilesMatch ^[0-9]+\.dot$> Allow from 220.127.116.11 Deny from all </FilesMatch> # And no directory listings, either. Deny from all
The attached patch adds a variable (default on) to localconfig to determine if you want the .htaccess files created. If you do, and they don't already exist, checksetup.pl will create them. If they already exist, it won't touch them (in case you personalize them on your site).
r= jake in irc checked in
.htaccess files, if they exist, don't get their group set to the webserver group, because glob(*) ignores dotfiles. Also, cvs actions are flagging .htaccess as an unknown file, so need to add it to .cvsignore.
Looks good to me... r=jake
Moving to Bugzilla product