Closed
Bug 785511
Opened 12 years ago
Closed 12 years ago
Prevent directory browsing in docs/, extensions/ and all other subdirectories of Bugzilla
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.4
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
Attachments
(1 file, 1 obsolete file)
1.90 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
There is no reason to let all files in the doc/ tree to be browsable from the web, especially those being in xsl/ or lib/. Only files which are supposed to be viewable should be whitelisted.
I create docs/.htaccess and configure it so that localizers do not need to create their own .htaccess file. Besides .txt, .pdf and .html files, we also have to whitelist .css, .png and .gif files to be loaded from HTML files.
Attachment #655158 -
Flags: review?(dkl)
Assignee | ||
Updated•12 years ago
|
Flags: blocking4.4+
Flags: blocking4.2.3+
Comment 1•12 years ago
|
||
Comment on attachment 655158 [details] [diff] [review]
patch, v1
Review of attachment 655158 [details] [diff] [review]:
-----------------------------------------------------------------
This breaks allowing people to automatically see index.html in docs/en/html and docs/en/html/api which we reference in a few places in the templates.
Before patch I can do:
https://localhost/bugzilla/docs/en/html
https://localhost/bugzilla/docs/en/html/api
With patch I have to explicitly add index.html or else I get the forbidden error.
dkl
Attachment #655158 -
Flags: review?(dkl) → review-
Assignee | ||
Comment 2•12 years ago
|
||
Comment on attachment 655158 [details] [diff] [review]
patch, v1
>This breaks allowing people to automatically see index.html in docs/en/html and
>docs/en/html/api which we reference in a few places in the templates.
If we are omitting index.html from the URL, then we have to fix that. That's not the problem.
Attachment #655158 -
Flags: review- → review?(dkl)
(In reply to Frédéric Buclin from comment #2)
> Comment on attachment 655158 [details] [diff] [review]
> patch, v1
>
> >This breaks allowing people to automatically see index.html in docs/en/html and
> >docs/en/html/api which we reference in a few places in the templates.
>
> If we are omitting index.html from the URL, then we have to fix that. That's
> not the problem.
i disagree -- the right way to block directory browsing is with -Indexes, not with a .htaccess hack.
Assignee | ||
Comment 4•12 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #3)
> i disagree -- the right way to block directory browsing is with -Indexes,
> not with a .htaccess hack.
If you consider this a hack, then all first-level directories have a hack in them (Bugzilla/, templates/, graphs/, etc...)
(In reply to Frédéric Buclin from comment #4)
> If you consider this a hack, then all first-level directories have a hack in
> them (Bugzilla/, templates/, graphs/, etc...)
oh, sorry, i was confusing the changes here with another very similar htaccess patch.
Assignee | ||
Comment 6•12 years ago
|
||
Options -Indexes requires a change in httpd.conf which we cannot request for branches. So this patch will be for trunk only (4.4).
I also updated the doc to not suggest to use +Indexes, and also add index.html so that we can access the documentation more easily.
Attachment #655158 -
Attachment is obsolete: true
Attachment #655158 -
Flags: review?(dkl)
Attachment #656040 -
Flags: review?(dkl)
Assignee | ||
Updated•12 years ago
|
Target Milestone: Bugzilla 4.2 → Bugzilla 4.4
Assignee | ||
Updated•12 years ago
|
Flags: blocking4.2.3+
Assignee | ||
Comment 7•12 years ago
|
||
The change in httpd.conf needs to be relnoted in bold, else Apache won't be able to load Bugzilla anymore due to |Options -Indexes| in .htaccess.
Keywords: relnote
Comment 8•12 years ago
|
||
Comment on attachment 656040 [details] [diff] [review]
patch, v2
Review of attachment 656040 [details] [diff] [review]:
-----------------------------------------------------------------
r=dkl
Attachment #656040 -
Flags: review?(dkl) → review+
Assignee | ||
Updated•12 years ago
|
Flags: approval+
Assignee | ||
Comment 9•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
modified docs/en/xml/installation.xml
Committed revision 8360.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•12 years ago
|
Summary: Prevent directory browsing in docs/ → Prevent directory browsing in docs/, extensions/ and all other subdirectories of Bugzilla
You need to log in
before you can comment on or make changes to this bug.
Description
•