It's currently possible to browse all extensions from the web, though .pm modules are hidden thanks to bugzilla/.htaccess. But all templates remain visible, including their source code: https://landfill.bugzilla.org/bugzilla-tip/extensions/Voting/template/en/default/pages/voting/user.html.tmpl Some custom extensions may contain sensitive data or should simply be outside user's view. It looks like this code is not doing its job correctly, despite what the comment says: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm#209 It looks like that 3.2 and newer are all vulnerable. I will have to check with older versions.
Extensions exist since 2.23.2, see bug 298341.
Version: 3.2 → 2.23.2
I explicitly forbird directory browsing as well as viewing .pm, .pl and .tmpl files. I allow all other file formats to be viewable as we cannot guess which file formats the extensions wants to pass to the browser (.css, .js, .html, .png, etc.. come to mind, but there may be more).
Assignee: extensions → LpSolit
Status: NEW → ASSIGNED
Attachment #655215 - Flags: review?(dkl)
Comment on attachment 655215 [details] [diff] [review] patch, v1 the extensions directory is already be protected by the deny in the root's .htaccess: # Don't allow people to retrieve non-cgi executable files or our private data <FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$> deny from all </FilesMatch> a better fix would be to add .tmpl to that list, and add |Options -Indexes| to prevent directory browsing.
Attachment #655215 - Flags: review?(dkl) → review-
(In reply to Byron Jones ‹:glob› from comment #3) > a better fix would be to add .tmpl to that list, and add |Options -Indexes| > to prevent directory browsing. this will also fix bug 785511
(In reply to Byron Jones ‹:glob› from comment #3) > a better fix would be to add .tmpl to that list, and add |Options -Indexes| > to prevent directory browsing. I'm fine to add .tmpl to the root .htaccess file, but the problem with Options in .htaccess is that we don't allow it by default, see http://www.bugzilla.org/docs/tip/en/html/configuration.html#http: <Directory /var/www/html/bugzilla> AddHandler cgi-script .cgi Options +Indexes +ExecCGI DirectoryIndex index.cgi AllowOverride Limit FileInfo Indexes </Directory> Without AllowOverride Options, you cannot use Options in .htaccess. And for some unknown reasons, we suggest to write Options +Indexes in httpd.conf, which is part of the problem.
Simply blacklist .tmpl templates as we cannot do more on branches.
Comment on attachment 656043 [details] [diff] [review] patch, v2 r=glob
Attachment #656043 - Flags: review?(glob) → review+
Bugzilla 3.6 is affected too, but unfortunately .htaccess is not in the bzr/CVS repo and so cannot be edited easily. I could fix the default .htaccess generated by Bugzilla/Install/Filesystem.pm, but this wouldn't fix existing .htaccess files. So we are skipping 3.6 entirely. Admins still running 3.6 can fix their .htaccess file manually if they are concerned by this issue.
Target Milestone: Bugzilla 3.6 → Bugzilla 4.0
Summary: [SECURITY] Prevent directory browsing in extensions/ → [SECURITY] Block access to templates in extensions/
Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/trunk/ modified .htaccess Committed revision 8369. Committing to: bzr+ssh://email@example.com/bugzilla/4.2/ modified .htaccess Committed revision 8131. Committing to: bzr+ssh://firstname.lastname@example.org/bugzilla/4.0/ modified .htaccess Committed revision 7720.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.