Closed Bug 785522 Opened 12 years ago Closed 12 years ago

[SECURITY] Block access to templates in extensions/

Categories

(Bugzilla :: Extensions, defect)

2.23.2
defect
Not set
major

Tracking

()

RESOLVED FIXED
Bugzilla 4.0

People

(Reporter: LpSolit, Assigned: LpSolit)

References

Details

Attachments

(1 file, 1 obsolete file)

It's currently possible to browse all extensions from the web, though .pm modules are hidden thanks to bugzilla/.htaccess. But all templates remain visible, including their source code:

https://landfill.bugzilla.org/bugzilla-tip/extensions/Voting/template/en/default/pages/voting/user.html.tmpl

Some custom extensions may contain sensitive data or should simply be outside user's view.

It looks like this code is not doing its job correctly, despite what the comment says:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm#209

It looks like that 3.2 and newer are all vulnerable. I will have to check with older versions.
Flags: blocking4.4+
Flags: blocking4.2.3+
Flags: blocking4.0.8+
Flags: blocking3.6.11+
Extensions exist since 2.23.2, see bug 298341.
Version: 3.2 → 2.23.2
Attached patch patch, v1 (obsolete) — Splinter Review
I explicitly forbird directory browsing as well as viewing .pm, .pl and .tmpl files. I allow all other file formats to be viewable as we cannot guess which file formats the extensions wants to pass to the browser (.css, .js, .html, .png, etc.. come to mind, but there may be more).
Assignee: extensions → LpSolit
Status: NEW → ASSIGNED
Attachment #655215 - Flags: review?(dkl)
Comment on attachment 655215 [details] [diff] [review]
patch, v1

the extensions directory is already be protected by the deny in the root's .htaccess:

# Don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$>
  deny from all
</FilesMatch>


a better fix would be to add .tmpl to that list, and add |Options -Indexes| to prevent directory browsing.
Attachment #655215 - Flags: review?(dkl) → review-
(In reply to Byron Jones ‹:glob› from comment #3)
> a better fix would be to add .tmpl to that list, and add |Options -Indexes|
> to prevent directory browsing.

this will also fix bug 785511
(In reply to Byron Jones ‹:glob› from comment #3)
> a better fix would be to add .tmpl to that list, and add |Options -Indexes|
> to prevent directory browsing.

I'm fine to add .tmpl to the root .htaccess file, but the problem with Options in .htaccess is that we don't allow it by default, see http://www.bugzilla.org/docs/tip/en/html/configuration.html#http:

  <Directory /var/www/html/bugzilla>
    AddHandler cgi-script .cgi
    Options +Indexes +ExecCGI
    DirectoryIndex index.cgi
    AllowOverride Limit FileInfo Indexes
  </Directory>

Without AllowOverride Options, you cannot use Options in .htaccess. And for some unknown reasons, we suggest to write Options +Indexes in httpd.conf, which is part of the problem.
Attached patch patch, v2Splinter Review
Simply blacklist .tmpl templates as we cannot do more on branches.
Attachment #655215 - Attachment is obsolete: true
Attachment #656043 - Flags: review?(glob)
Comment on attachment 656043 [details] [diff] [review]
patch, v2

r=glob
Attachment #656043 - Flags: review?(glob) → review+
Bugzilla 3.6 is affected too, but unfortunately .htaccess is not in the bzr/CVS repo and so cannot be edited easily. I could fix the default .htaccess generated by Bugzilla/Install/Filesystem.pm, but this wouldn't fix existing .htaccess files. So we are skipping 3.6 entirely. Admins still running 3.6 can fix their .htaccess file manually if they are concerned by this issue.
Flags: blocking3.6.11-
Flags: blocking3.6.11+
Flags: approval?
Flags: approval4.2?
Flags: approval4.0?
Target Milestone: Bugzilla 3.6 → Bugzilla 4.0
Blocks: 786364
Summary: [SECURITY] Prevent directory browsing in extensions/ → [SECURITY] Block access to templates in extensions/
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified .htaccess
Committed revision 8369.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/
modified .htaccess
Committed revision 8131.

Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/
modified .htaccess
Committed revision 7720.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.