Skip to content

bugzilla
bugzilla
Commit 532196b8 authored by Max Kanat-Alexander's avatar Max Kanat-Alexander
Browse files
Options

Bug 314871: (CVE-2009-3989) [SECURITY] Prevent web browsers from accessing CVS/,…

Bug 314871: (CVE-2009-3989) [SECURITY] Prevent web browsers from accessing CVS/, contrib/, docs/, and t/ directories iatch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
parent 6d11d68f
Hide whitespace changes
Inline Side-by-side
Showing with 52 additions and 29 deletions
Bugzilla/Install/Filesystem.pm
View file @ 532196b8
...@@ -48,6 +48,12 @@ our @EXPORT = qw( ...@@ -48,6 +48,12 @@ our @EXPORT = qw(
fix_file_permissions fix_file_permissions
); );
use constant HT_DEFAULT_DENY => <<EOT;
# nothing in this directory is retrievable unless overridden by an .htaccess
# in a subdirectory
deny from all
EOT
# This looks like a constant because it effectively is, but # This looks like a constant because it effectively is, but
# it has to call other subroutines and read the current filesystem, # it has to call other subroutines and read the current filesystem,
# so it's defined as a sub. This is not exported, so it doesn't have # so it's defined as a sub. This is not exported, so it doesn't have
...@@ -125,7 +131,9 @@ sub FILESYSTEM { ...@@ -125,7 +131,9 @@ sub FILESYSTEM {
"$localconfig.old" => { perms => $owner_readable }, "$localconfig.old" => { perms => $owner_readable },
'docs/makedocs.pl' => { perms => $owner_executable }, 'contrib/README' => { perms => $owner_readable },
'contrib/*/README' => { perms => $owner_readable },
'docs/makedocs.pl' => { perms => $owner_executable },
'docs/style.css' => { perms => $ws_readable }, 'docs/style.css' => { perms => $ws_readable },
'docs/*/rel_notes.txt' => { perms => $ws_readable }, 'docs/*/rel_notes.txt' => { perms => $ws_readable },
'docs/*/README.docs' => { perms => $owner_readable }, 'docs/*/README.docs' => { perms => $owner_readable },
...@@ -190,6 +198,8 @@ sub FILESYSTEM { ...@@ -190,6 +198,8 @@ sub FILESYSTEM {
dirs => $owner_dir_readable }, dirs => $owner_dir_readable },
'docs/*/xml' => { files => $owner_readable, 'docs/*/xml' => { files => $owner_readable,
dirs => $owner_dir_readable }, dirs => $owner_dir_readable },
'contrib' => { files => $owner_executable,
dirs => $owner_dir_readable, },
); );
# --- FILES TO CREATE --- # # --- FILES TO CREATE --- #
...@@ -256,21 +266,19 @@ EOT ...@@ -256,21 +266,19 @@ EOT
# Because checksetup controls the .htaccess creation separately # Because checksetup controls the .htaccess creation separately
# by a localconfig variable, these go in a separate variable from # by a localconfig variable, these go in a separate variable from
# %create_files. # %create_files.
my $ht_default_deny = <<EOT;
# nothing in this directory is retrievable unless overridden by an .htaccess
# in a subdirectory
deny from all
EOT
my %htaccess = ( my %htaccess = (
"$attachdir/.htaccess" => { perms => $ws_readable, "$attachdir/.htaccess" => { perms => $ws_readable,
contents => $ht_default_deny }, contents => HT_DEFAULT_DENY },
"$libdir/Bugzilla/.htaccess" => { perms => $ws_readable, "$libdir/Bugzilla/.htaccess" => { perms => $ws_readable,
contents => $ht_default_deny }, contents => HT_DEFAULT_DENY },
"$extlib/.htaccess" => { perms => $ws_readable, "$extlib/.htaccess" => { perms => $ws_readable,
contents => $ht_default_deny }, contents => HT_DEFAULT_DENY },
"$templatedir/.htaccess" => { perms => $ws_readable, "$templatedir/.htaccess" => { perms => $ws_readable,
contents => $ht_default_deny }, contents => HT_DEFAULT_DENY },
'contrib/.htaccess' => { perms => $ws_readable,
contents => HT_DEFAULT_DENY },
't/.htaccess' => { perms => $ws_readable,
contents => HT_DEFAULT_DENY },
'.htaccess' => { perms => $ws_readable, contents => <<EOT '.htaccess' => { perms => $ws_readable, contents => <<EOT
# Don't allow people to retrieve non-cgi executable files or our private data # Don't allow people to retrieve non-cgi executable files or our private data
...@@ -592,22 +600,13 @@ sub fix_all_file_permissions { ...@@ -592,22 +600,13 @@ sub fix_all_file_permissions {
_fix_perms($dir, $owner_id, $group_id, $dirs{$dir}); _fix_perms($dir, $owner_id, $group_id, $dirs{$dir});
} }
foreach my $dir (sort keys %recurse_dirs) { foreach my $pattern (sort keys %recurse_dirs) {
next unless -d $dir; my $perms = $recurse_dirs{$pattern};
# Set permissions on the directory itself. # %recurse_dirs supports globs
my $perms = $recurse_dirs{$dir}; foreach my $dir (glob $pattern) {
_fix_perms($dir, $owner_id, $group_id, $perms->{dirs}); next unless -d $dir;
# Now recurse through the directory and set the correct permissions _fix_perms_recursively($dir, $owner_id, $group_id, $perms);
# on subdirectories and files. }
find({ no_chdir => 1, wanted => sub {
my $name = $File::Find::name;
if (-d $name) {
_fix_perms($name, $owner_id, $group_id, $perms->{dirs});
}
else {
_fix_perms($name, $owner_id, $group_id, $perms->{files});
}
}}, $dir);
} }
foreach my $file (sort keys %files) { foreach my $file (sort keys %files) {
...@@ -640,8 +639,13 @@ sub _fix_cvs_dirs { ...@@ -640,8 +639,13 @@ sub _fix_cvs_dirs {
find({ no_chdir => 1, wanted => sub { find({ no_chdir => 1, wanted => sub {
my $name = $File::Find::name; my $name = $File::Find::name;
if ($File::Find::dir =~ /\/CVS/ || $_ eq '.cvsignore' if ($File::Find::dir =~ /\/CVS/ || $_ eq '.cvsignore'
|| (-d $name && $_ eq 'CVS')) { || (-d $name && $_ =~ /CVS$/))
_fix_perms($name, $owner_id, $owner_gid, 0700); {
my $perms = 0600;
if (-d $name) {
$perms = 0700;
}
_fix_perms($name, $owner_id, $owner_gid, $perms);
} }
}}, $dir); }}, $dir);
} }
...@@ -661,6 +665,23 @@ sub _fix_perms { ...@@ -661,6 +665,23 @@ sub _fix_perms {
error => $! }) . "\n"; error => $! }) . "\n";
} }
sub _fix_perms_recursively {
my ($dir, $owner_id, $group_id, $perms) = @_;
# Set permissions on the directory itself.
_fix_perms($dir, $owner_id, $group_id, $perms->{dirs});
# Now recurse through the directory and set the correct permissions
# on subdirectories and files.
find({ no_chdir => 1, wanted => sub {
my $name = $File::Find::name;
if (-d $name) {
_fix_perms($name, $owner_id, $group_id, $perms->{dirs});
}
else {
_fix_perms($name, $owner_id, $group_id, $perms->{files});
}
}}, $dir);
}
sub _check_web_server_group { sub _check_web_server_group {
my ($output) = @_; my ($output) = @_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment