785511 - Prevent directory browsing in docs/, extensions/ and all other subdirectories of Bugzilla

Status: RESOLVED FIXED

(Bugzilla :: Bugzilla-General, defect)

Description

[Frédéric Buclin]

Attachment: patch, v1

There is no reason to let all files in the doc/ tree to be browsable from the web, especially those being in xsl/ or lib/. Only files which are supposed to be viewable should be whitelisted.

I create docs/.htaccess and configure it so that localizers do not need to create their own .htaccess file. Besides .txt, .pdf and .html files, we also have to whitelist .css, .png and .gif files to be loaded from HTML files.

Comment 1

[David Lawrence [:dkl]]

Comment on attachment 655158 [details] [diff] [review]
patch, v1

Review of attachment 655158 [details] [diff] [review]:
-----------------------------------------------------------------

This breaks allowing people to automatically see index.html in docs/en/html and docs/en/html/api which we reference in a few places in the templates.

Before patch I can do:
https://localhost/bugzilla/docs/en/html
https://localhost/bugzilla/docs/en/html/api

With patch I have to explicitly add index.html or else I get the forbidden error.

dkl

Comment 2

[Frédéric Buclin]

Comment on attachment 655158 [details] [diff] [review]
patch, v1

>This breaks allowing people to automatically see index.html in docs/en/html and
>docs/en/html/api which we reference in a few places in the templates.

If we are omitting index.html from the URL, then we have to fix that. That's not the problem.

Comment 3

[:glob ✱]

(In reply to Frédéric Buclin from comment #2)
> Comment on attachment 655158 [details] [diff] [review]
> patch, v1
> 
> >This breaks allowing people to automatically see index.html in docs/en/html and
> >docs/en/html/api which we reference in a few places in the templates.
> 
> If we are omitting index.html from the URL, then we have to fix that. That's
> not the problem.

i disagree -- the right way to block directory browsing is with -Indexes, not with a .htaccess hack.

Comment 4

[Frédéric Buclin]

(In reply to Byron Jones ‹:glob› from comment #3)
> i disagree -- the right way to block directory browsing is with -Indexes,
> not with a .htaccess hack.

If you consider this a hack, then all first-level directories have a hack in them (Bugzilla/, templates/, graphs/, etc...)

Comment 5

[:glob ✱]

(In reply to Frédéric Buclin from comment #4)
> If you consider this a hack, then all first-level directories have a hack in
> them (Bugzilla/, templates/, graphs/, etc...)

oh, sorry, i was confusing the changes here with another very similar htaccess patch.

Comment 6

[Frédéric Buclin]

Attachment: patch, v2

Options -Indexes requires a change in httpd.conf which we cannot request for branches. So this patch will be for trunk only (4.4).

I also updated the doc to not suggest to use +Indexes, and also add index.html so that we can access the documentation more easily.

Comment 7

[Frédéric Buclin]

The change in httpd.conf needs to be relnoted in bold, else Apache won't be able to load Bugzilla anymore due to |Options -Indexes| in .htaccess.

Comment 8

[David Lawrence [:dkl]]

Comment on attachment 656040 [details] [diff] [review]
patch, v2

Review of attachment 656040 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl

Comment 9

[Frédéric Buclin]

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
modified docs/en/xml/installation.xml
Committed revision 8360.

Comment 10

[Frédéric Buclin]

Added to relnotes for 4.4.