The default bug view has changed. See this FAQ.

[SECURITY] Block access to templates in extensions/

RESOLVED FIXED in Bugzilla 4.0

Status

()

Bugzilla
Extensions
--
major
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

(Blocks: 1 bug)

2.23.2
Bugzilla 4.0
Dependency tree / graph
Bug Flags:
approval +
blocking4.4 +
approval4.2 +
blocking4.2.3 +
approval4.0 +
blocking4.0.8 +
blocking3.6.11 -

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

5 years ago
It's currently possible to browse all extensions from the web, though .pm modules are hidden thanks to bugzilla/.htaccess. But all templates remain visible, including their source code:

https://landfill.bugzilla.org/bugzilla-tip/extensions/Voting/template/en/default/pages/voting/user.html.tmpl

Some custom extensions may contain sensitive data or should simply be outside user's view.

It looks like this code is not doing its job correctly, despite what the comment says:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm#209

It looks like that 3.2 and newer are all vulnerable. I will have to check with older versions.
Flags: blocking4.4+
Flags: blocking4.2.3+
Flags: blocking4.0.8+
Flags: blocking3.6.11+
(Assignee)

Comment 1

5 years ago
Extensions exist since 2.23.2, see bug 298341.
Version: 3.2 → 2.23.2
(Assignee)

Comment 2

5 years ago
Created attachment 655215 [details] [diff] [review]
patch, v1

I explicitly forbird directory browsing as well as viewing .pm, .pl and .tmpl files. I allow all other file formats to be viewable as we cannot guess which file formats the extensions wants to pass to the browser (.css, .js, .html, .png, etc.. come to mind, but there may be more).
Assignee: extensions → LpSolit
Status: NEW → ASSIGNED
Attachment #655215 - Flags: review?(dkl)
Comment on attachment 655215 [details] [diff] [review]
patch, v1

the extensions directory is already be protected by the deny in the root's .htaccess:

# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$>
  deny from all
</FilesMatch>


a better fix would be to add .tmpl to that list, and add |Options -Indexes| to prevent directory browsing.
Attachment #655215 - Flags: review?(dkl) → review-
(In reply to Byron Jones ‹:glob› from comment #3)
> a better fix would be to add .tmpl to that list, and add |Options -Indexes|
> to prevent directory browsing.

this will also fix bug 785511
(Assignee)

Comment 5

5 years ago
(In reply to Byron Jones ‹:glob› from comment #3)
> a better fix would be to add .tmpl to that list, and add |Options -Indexes|
> to prevent directory browsing.

I'm fine to add .tmpl to the root .htaccess file, but the problem with Options in .htaccess is that we don't allow it by default, see http://www.bugzilla.org/docs/tip/en/html/configuration.html#http:

  <Directory /var/www/html/bugzilla>
    AddHandler cgi-script .cgi
    Options +Indexes +ExecCGI
    DirectoryIndex index.cgi
    AllowOverride Limit FileInfo Indexes
  </Directory>

Without AllowOverride Options, you cannot use Options in .htaccess. And for some unknown reasons, we suggest to write Options +Indexes in httpd.conf, which is part of the problem.
(Assignee)

Comment 6

5 years ago
Created attachment 656043 [details] [diff] [review]
patch, v2

Simply blacklist .tmpl templates as we cannot do more on branches.
Attachment #655215 - Attachment is obsolete: true
Attachment #656043 - Flags: review?(glob)
Comment on attachment 656043 [details] [diff] [review]
patch, v2

r=glob
Attachment #656043 - Flags: review?(glob) → review+
(Assignee)

Comment 8

5 years ago
Bugzilla 3.6 is affected too, but unfortunately .htaccess is not in the bzr/CVS repo and so cannot be edited easily. I could fix the default .htaccess generated by Bugzilla/Install/Filesystem.pm, but this wouldn't fix existing .htaccess files. So we are skipping 3.6 entirely. Admins still running 3.6 can fix their .htaccess file manually if they are concerned by this issue.
Flags: blocking3.6.11-
Flags: blocking3.6.11+
Flags: approval?
Flags: approval4.2?
Flags: approval4.0?
Target Milestone: Bugzilla 3.6 → Bugzilla 4.0
(Assignee)

Updated

5 years ago
Blocks: 786364
(Assignee)

Updated

5 years ago
Summary: [SECURITY] Prevent directory browsing in extensions/ → [SECURITY] Block access to templates in extensions/
(Assignee)

Updated

5 years ago
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
(Assignee)

Comment 9

5 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
Committed revision 8369.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified .htaccess
Committed revision 8131.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified .htaccess
Committed revision 7720.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Updated

5 years ago
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.