Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Prevent directory browsing in docs/, extensions/ and all other subdirectories of Bugzilla

RESOLVED FIXED in Bugzilla 4.4

Status

()

Bugzilla
Bugzilla-General
--
minor
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

(Blocks: 1 bug)

4.3.2
Bugzilla 4.4
Dependency tree / graph
Bug Flags:
approval +
blocking4.4 +

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

5 years ago
Created attachment 655158 [details] [diff] [review]
patch, v1

There is no reason to let all files in the doc/ tree to be browsable from the web, especially those being in xsl/ or lib/. Only files which are supposed to be viewable should be whitelisted.

I create docs/.htaccess and configure it so that localizers do not need to create their own .htaccess file. Besides .txt, .pdf and .html files, we also have to whitelist .css, .png and .gif files to be loaded from HTML files.
Attachment #655158 - Flags: review?(dkl)
(Assignee)

Updated

5 years ago
Flags: blocking4.4+
Flags: blocking4.2.3+
Comment on attachment 655158 [details] [diff] [review]
patch, v1

Review of attachment 655158 [details] [diff] [review]:
-----------------------------------------------------------------

This breaks allowing people to automatically see index.html in docs/en/html and docs/en/html/api which we reference in a few places in the templates.

Before patch I can do:
https://localhost/bugzilla/docs/en/html
https://localhost/bugzilla/docs/en/html/api

With patch I have to explicitly add index.html or else I get the forbidden error.

dkl
Attachment #655158 - Flags: review?(dkl) → review-
(Assignee)

Comment 2

5 years ago
Comment on attachment 655158 [details] [diff] [review]
patch, v1

>This breaks allowing people to automatically see index.html in docs/en/html and
>docs/en/html/api which we reference in a few places in the templates.

If we are omitting index.html from the URL, then we have to fix that. That's not the problem.
Attachment #655158 - Flags: review- → review?(dkl)
(In reply to Frédéric Buclin from comment #2)
> Comment on attachment 655158 [details] [diff] [review]
> patch, v1
> 
> >This breaks allowing people to automatically see index.html in docs/en/html and
> >docs/en/html/api which we reference in a few places in the templates.
> 
> If we are omitting index.html from the URL, then we have to fix that. That's
> not the problem.

i disagree -- the right way to block directory browsing is with -Indexes, not with a .htaccess hack.
(Assignee)

Comment 4

5 years ago
(In reply to Byron Jones ‹:glob› from comment #3)
> i disagree -- the right way to block directory browsing is with -Indexes,
> not with a .htaccess hack.

If you consider this a hack, then all first-level directories have a hack in them (Bugzilla/, templates/, graphs/, etc...)
(In reply to Frédéric Buclin from comment #4)
> If you consider this a hack, then all first-level directories have a hack in
> them (Bugzilla/, templates/, graphs/, etc...)

oh, sorry, i was confusing the changes here with another very similar htaccess patch.
(Assignee)

Comment 6

5 years ago
Created attachment 656040 [details] [diff] [review]
patch, v2

Options -Indexes requires a change in httpd.conf which we cannot request for branches. So this patch will be for trunk only (4.4).

I also updated the doc to not suggest to use +Indexes, and also add index.html so that we can access the documentation more easily.
Attachment #655158 - Attachment is obsolete: true
Attachment #655158 - Flags: review?(dkl)
Attachment #656040 - Flags: review?(dkl)
(Assignee)

Updated

5 years ago
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
(Assignee)

Updated

5 years ago
Flags: blocking4.2.3+
(Assignee)

Comment 7

5 years ago
The change in httpd.conf needs to be relnoted in bold, else Apache won't be able to load Bugzilla anymore due to |Options -Indexes| in .htaccess.
Keywords: relnote
Comment on attachment 656040 [details] [diff] [review]
patch, v2

Review of attachment 656040 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #656040 - Flags: review?(dkl) → review+
(Assignee)

Updated

5 years ago
Flags: approval+
(Assignee)

Comment 9

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
modified docs/en/xml/installation.xml
Committed revision 8360.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Summary: Prevent directory browsing in docs/ → Prevent directory browsing in docs/, extensions/ and all other subdirectories of Bugzilla
Blocks: 787688
(Assignee)

Comment 10

5 years ago
Added to relnotes for 4.4.
Keywords: relnote
You need to log in before you can comment on or make changes to this bug.