Last Comment Bug 785522 - [SECURITY] Block access to templates in extensions/
: [SECURITY] Block access to templates in extensions/
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Extensions (show other bugs)
: 2.23.2
: All All
: -- major (vote)
: Bugzilla 4.0
Assigned To: Frédéric Buclin
: default-qa
Mentors:
Depends on:
Blocks: 785112 786364
  Show dependency treegraph
 
Reported: 2012-08-24 14:56 PDT by Frédéric Buclin
Modified: 2012-08-30 13:49 PDT (History)
3 users (show)
LpSolit: approval+
LpSolit: blocking4.4+
LpSolit: approval4.2+
LpSolit: blocking4.2.3+
LpSolit: approval4.0+
LpSolit: blocking4.0.8+
LpSolit: blocking3.6.11-
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (987 bytes, patch)
2012-08-24 16:24 PDT, Frédéric Buclin
glob: review-
Details | Diff | Splinter Review
patch, v2 (504 bytes, patch)
2012-08-28 09:33 PDT, Frédéric Buclin
glob: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2012-08-24 14:56:13 PDT
It's currently possible to browse all extensions from the web, though .pm modules are hidden thanks to bugzilla/.htaccess. But all templates remain visible, including their source code:

https://landfill.bugzilla.org/bugzilla-tip/extensions/Voting/template/en/default/pages/voting/user.html.tmpl

Some custom extensions may contain sensitive data or should simply be outside user's view.

It looks like this code is not doing its job correctly, despite what the comment says:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm#209

It looks like that 3.2 and newer are all vulnerable. I will have to check with older versions.
Comment 1 Frédéric Buclin 2012-08-24 15:07:51 PDT
Extensions exist since 2.23.2, see bug 298341.
Comment 2 Frédéric Buclin 2012-08-24 16:24:05 PDT
Created attachment 655215 [details] [diff] [review]
patch, v1

I explicitly forbird directory browsing as well as viewing .pm, .pl and .tmpl files. I allow all other file formats to be viewable as we cannot guess which file formats the extensions wants to pass to the browser (.css, .js, .html, .png, etc.. come to mind, but there may be more).
Comment 3 Byron Jones ‹:glob› 2012-08-26 21:08:55 PDT
Comment on attachment 655215 [details] [diff] [review]
patch, v1

the extensions directory is already be protected by the deny in the root's .htaccess:

# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$>
  deny from all
</FilesMatch>


a better fix would be to add .tmpl to that list, and add |Options -Indexes| to prevent directory browsing.
Comment 4 Byron Jones ‹:glob› 2012-08-26 21:17:00 PDT
(In reply to Byron Jones ‹:glob› from comment #3)
> a better fix would be to add .tmpl to that list, and add |Options -Indexes|
> to prevent directory browsing.

this will also fix bug 785511
Comment 5 Frédéric Buclin 2012-08-27 14:26:54 PDT
(In reply to Byron Jones ‹:glob› from comment #3)
> a better fix would be to add .tmpl to that list, and add |Options -Indexes|
> to prevent directory browsing.

I'm fine to add .tmpl to the root .htaccess file, but the problem with Options in .htaccess is that we don't allow it by default, see http://www.bugzilla.org/docs/tip/en/html/configuration.html#http:

  <Directory /var/www/html/bugzilla>
    AddHandler cgi-script .cgi
    Options +Indexes +ExecCGI
    DirectoryIndex index.cgi
    AllowOverride Limit FileInfo Indexes
  </Directory>

Without AllowOverride Options, you cannot use Options in .htaccess. And for some unknown reasons, we suggest to write Options +Indexes in httpd.conf, which is part of the problem.
Comment 6 Frédéric Buclin 2012-08-28 09:33:44 PDT
Created attachment 656043 [details] [diff] [review]
patch, v2

Simply blacklist .tmpl templates as we cannot do more on branches.
Comment 7 Byron Jones ‹:glob› 2012-08-28 09:35:06 PDT
Comment on attachment 656043 [details] [diff] [review]
patch, v2

r=glob
Comment 8 Frédéric Buclin 2012-08-28 09:57:34 PDT
Bugzilla 3.6 is affected too, but unfortunately .htaccess is not in the bzr/CVS repo and so cannot be edited easily. I could fix the default .htaccess generated by Bugzilla/Install/Filesystem.pm, but this wouldn't fix existing .htaccess files. So we are skipping 3.6 entirely. Admins still running 3.6 can fix their .htaccess file manually if they are concerned by this issue.
Comment 9 Frédéric Buclin 2012-08-30 11:19:35 PDT
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
Committed revision 8369.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified .htaccess
Committed revision 8131.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified .htaccess
Committed revision 7720.

Note You need to log in before you can comment on or make changes to this bug.