Last Comment Bug 785511 - Prevent directory browsing in docs/, extensions/ and all other subdirectories of Bugzilla
: Prevent directory browsing in docs/, extensions/ and all other subdirectories...
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: 4.3.2
: All All
: -- minor (vote)
: Bugzilla 4.4
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
Depends on:
Blocks: 785112 787688
  Show dependency treegraph
 
Reported: 2012-08-24 14:19 PDT by Frédéric Buclin
Modified: 2012-11-02 07:02 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: blocking4.4+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (788 bytes, patch)
2012-08-24 14:19 PDT, Frédéric Buclin
no flags Details | Diff | Splinter Review
patch, v2 (1.90 KB, patch)
2012-08-28 09:30 PDT, Frédéric Buclin
dkl: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2012-08-24 14:19:22 PDT
Created attachment 655158 [details] [diff] [review]
patch, v1

There is no reason to let all files in the doc/ tree to be browsable from the web, especially those being in xsl/ or lib/. Only files which are supposed to be viewable should be whitelisted.

I create docs/.htaccess and configure it so that localizers do not need to create their own .htaccess file. Besides .txt, .pdf and .html files, we also have to whitelist .css, .png and .gif files to be loaded from HTML files.
Comment 1 David Lawrence [:dkl] 2012-08-28 08:41:49 PDT
Comment on attachment 655158 [details] [diff] [review]
patch, v1

Review of attachment 655158 [details] [diff] [review]:
-----------------------------------------------------------------

This breaks allowing people to automatically see index.html in docs/en/html and docs/en/html/api which we reference in a few places in the templates.

Before patch I can do:
https://localhost/bugzilla/docs/en/html
https://localhost/bugzilla/docs/en/html/api

With patch I have to explicitly add index.html or else I get the forbidden error.

dkl
Comment 2 Frédéric Buclin 2012-08-28 08:44:12 PDT
Comment on attachment 655158 [details] [diff] [review]
patch, v1

>This breaks allowing people to automatically see index.html in docs/en/html and
>docs/en/html/api which we reference in a few places in the templates.

If we are omitting index.html from the URL, then we have to fix that. That's not the problem.
Comment 3 Byron Jones ‹:glob› [PTO until 2016-10-10] 2012-08-28 08:45:24 PDT
(In reply to Frédéric Buclin from comment #2)
> Comment on attachment 655158 [details] [diff] [review]
> patch, v1
> 
> >This breaks allowing people to automatically see index.html in docs/en/html and
> >docs/en/html/api which we reference in a few places in the templates.
> 
> If we are omitting index.html from the URL, then we have to fix that. That's
> not the problem.

i disagree -- the right way to block directory browsing is with -Indexes, not with a .htaccess hack.
Comment 4 Frédéric Buclin 2012-08-28 08:50:09 PDT
(In reply to Byron Jones ‹:glob› from comment #3)
> i disagree -- the right way to block directory browsing is with -Indexes,
> not with a .htaccess hack.

If you consider this a hack, then all first-level directories have a hack in them (Bugzilla/, templates/, graphs/, etc...)
Comment 5 Byron Jones ‹:glob› [PTO until 2016-10-10] 2012-08-28 09:06:25 PDT
(In reply to Frédéric Buclin from comment #4)
> If you consider this a hack, then all first-level directories have a hack in
> them (Bugzilla/, templates/, graphs/, etc...)

oh, sorry, i was confusing the changes here with another very similar htaccess patch.
Comment 6 Frédéric Buclin 2012-08-28 09:30:49 PDT
Created attachment 656040 [details] [diff] [review]
patch, v2

Options -Indexes requires a change in httpd.conf which we cannot request for branches. So this patch will be for trunk only (4.4).

I also updated the doc to not suggest to use +Indexes, and also add index.html so that we can access the documentation more easily.
Comment 7 Frédéric Buclin 2012-08-28 10:19:16 PDT
The change in httpd.conf needs to be relnoted in bold, else Apache won't be able to load Bugzilla anymore due to |Options -Indexes| in .htaccess.
Comment 8 David Lawrence [:dkl] 2012-08-28 13:27:26 PDT
Comment on attachment 656040 [details] [diff] [review]
patch, v2

Review of attachment 656040 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Comment 9 Frédéric Buclin 2012-08-28 15:08:26 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
modified docs/en/xml/installation.xml
Committed revision 8360.
Comment 10 Frédéric Buclin 2012-11-02 07:02:02 PDT
Added to relnotes for 4.4.

Note You need to log in before you can comment on or make changes to this bug.