Closed
Bug 785522
Opened 12 years ago
Closed 12 years ago
[SECURITY] Block access to templates in extensions/
Categories
(Bugzilla :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 4.0
People
(Reporter: LpSolit, Assigned: LpSolit)
References
Details
Attachments
(1 file, 1 obsolete file)
504 bytes,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
It's currently possible to browse all extensions from the web, though .pm modules are hidden thanks to bugzilla/.htaccess. But all templates remain visible, including their source code: https://landfill.bugzilla.org/bugzilla-tip/extensions/Voting/template/en/default/pages/voting/user.html.tmpl Some custom extensions may contain sensitive data or should simply be outside user's view. It looks like this code is not doing its job correctly, despite what the comment says: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/webtools/bugzilla/Bugzilla/Install/Filesystem.pm#209 It looks like that 3.2 and newer are all vulnerable. I will have to check with older versions.
Flags: blocking4.4+
Flags: blocking4.2.3+
Flags: blocking4.0.8+
Flags: blocking3.6.11+
Assignee | ||
Comment 1•12 years ago
|
||
Extensions exist since 2.23.2, see bug 298341.
Version: 3.2 → 2.23.2
Assignee | ||
Comment 2•12 years ago
|
||
I explicitly forbird directory browsing as well as viewing .pm, .pl and .tmpl files. I allow all other file formats to be viewable as we cannot guess which file formats the extensions wants to pass to the browser (.css, .js, .html, .png, etc.. come to mind, but there may be more).
Comment on attachment 655215 [details] [diff] [review] patch, v1 the extensions directory is already be protected by the deny in the root's .htaccess: # Don't allow people to retrieve non-cgi executable files or our private data <FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$> deny from all </FilesMatch> a better fix would be to add .tmpl to that list, and add |Options -Indexes| to prevent directory browsing.
Attachment #655215 -
Flags: review?(dkl) → review-
(In reply to Byron Jones ‹:glob› from comment #3) > a better fix would be to add .tmpl to that list, and add |Options -Indexes| > to prevent directory browsing. this will also fix bug 785511
Assignee | ||
Comment 5•12 years ago
|
||
(In reply to Byron Jones ‹:glob› from comment #3) > a better fix would be to add .tmpl to that list, and add |Options -Indexes| > to prevent directory browsing. I'm fine to add .tmpl to the root .htaccess file, but the problem with Options in .htaccess is that we don't allow it by default, see http://www.bugzilla.org/docs/tip/en/html/configuration.html#http: <Directory /var/www/html/bugzilla> AddHandler cgi-script .cgi Options +Indexes +ExecCGI DirectoryIndex index.cgi AllowOverride Limit FileInfo Indexes </Directory> Without AllowOverride Options, you cannot use Options in .htaccess. And for some unknown reasons, we suggest to write Options +Indexes in httpd.conf, which is part of the problem.
Assignee | ||
Comment 6•12 years ago
|
||
Simply blacklist .tmpl templates as we cannot do more on branches.
Attachment #655215 -
Attachment is obsolete: true
Attachment #656043 -
Flags: review?(glob)
Comment on attachment 656043 [details] [diff] [review] patch, v2 r=glob
Attachment #656043 -
Flags: review?(glob) → review+
Assignee | ||
Comment 8•12 years ago
|
||
Bugzilla 3.6 is affected too, but unfortunately .htaccess is not in the bzr/CVS repo and so cannot be edited easily. I could fix the default .htaccess generated by Bugzilla/Install/Filesystem.pm, but this wouldn't fix existing .htaccess files. So we are skipping 3.6 entirely. Admins still running 3.6 can fix their .htaccess file manually if they are concerned by this issue.
Flags: blocking3.6.11-
Flags: blocking3.6.11+
Flags: approval?
Flags: approval4.2?
Flags: approval4.0?
Target Milestone: Bugzilla 3.6 → Bugzilla 4.0
Assignee | ||
Updated•12 years ago
|
Summary: [SECURITY] Prevent directory browsing in extensions/ → [SECURITY] Block access to templates in extensions/
Assignee | ||
Updated•12 years ago
|
Flags: approval?
Flags: approval4.2?
Flags: approval4.2+
Flags: approval4.0?
Flags: approval4.0+
Flags: approval+
Assignee | ||
Comment 9•12 years ago
|
||
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/ modified .htaccess Committed revision 8369. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.2/ modified .htaccess Committed revision 8131. Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/4.0/ modified .htaccess Committed revision 7720.
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Group: bugzilla-security
You need to log in
before you can comment on or make changes to this bug.
Description
•