Bug 434801: [SECURITY] .htaccess doesn't prevent reading old-params.txt from the web

Patch by Reed Loden <reed@reedloden.com> r=mkanat a=LpSolit

Bug 434801: [SECURITY] .htaccess doesn't prevent reading old-params.txt from the web
9a80c1ff · Reed Loden · Max Kanat-Alexander · 532196b8 · 9a80c1ff · 9a80c1ff
Commit 9a80c1ff authored Feb 01, 2010 by Reed Loden Committed by Max Kanat-Alexander Feb 01, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 4 deletions

Config.pm Bugzilla/Config.pm +7 -4

Filesystem.pm Bugzilla/Install/Filesystem.pm +7 -0

No files found.
--- a/Bugzilla/Config.pm
+++ b/Bugzilla/Config.pm
@@ -221,7 +221,7 @@ sub update_params {
    # --- REMOVE OLD PARAMS ---

    my %oldparams;
-    # Remove any old params, put them in old-params.txt
+    # Remove any old params
    foreach my $item (keys %$param) {
        if (!grep($_ eq $item, map ($_->{'name'}, @param_list))) {
            $oldparams{$item} = $param->{$item};
@@ -229,13 +229,16 @@ sub update_params {
        }
    }

+    # Write any old parameters to old-params.txt
+    my $datadir = bz_locations()->{'datadir'};
+    my $old_param_file = "$datadir/old-params.txt";
    if (scalar(keys %oldparams)) {
-        my $op_file = new IO::File('old-params.txt', '>>', 0600)
-          || die "old-params.txt: $!";
+        my $op_file = new IO::File($old_param_file, '>>', 0600)
+          || die "Couldn't create $old_param_file: $!";

        print "The following parameters are no longer used in Bugzilla,",
              " and so have been\nmoved from your parameters file into",
-              " old-params.txt:\n";
+              " $old_param_file:\n";

        local $Data::Dumper::Terse  = 1;
        local $Data::Dumper::Indent = 0;

--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -139,6 +139,7 @@ sub FILESYSTEM {
        'docs/*/README.docs'   => { perms => $owner_readable },
        "$datadir/bugzilla-update.xml" => { perms => $ws_writeable },
        "$datadir/params" => { perms => $ws_writeable },
+        "$datadir/old-params.txt" => { perms => $owner_readable },
        "$extensionsdir/create.pl" => { perms => $owner_executable },
    );

@@ -369,6 +370,12 @@ sub update_filesystem {
        _rename_file($testfile, "$testfile.old");
    }

+    # If old-params.txt exists in the root directory, move it to datadir.
+    my $oldparamsfile = "old_params.txt";
+    if (-e $oldparamsfile) {
+        _rename_file($oldparamsfile, "$datadir/$oldparamsfile");
+    }
+
    _create_files(%files);
    if ($params->{index_html}) {
        _create_files(%{$fs->{index_html}});