summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2010-11-03 00:06:15 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2010-11-03 00:06:15 +0100
commitc793bb323f1c58c1fe3e82b09068e88c380f5c21 (patch)
treec9a3bc93501bc6b2e13f4a777a0515959ea17491 /Bugzilla
parent480a9b8e789be47fe8a4ddf5159c0a4056f890cb (diff)
downloadbugzilla-c793bb323f1c58c1fe3e82b09068e88c380f5c21.tar.gz
bugzilla-c793bb323f1c58c1fe3e82b09068e88c380f5c21.tar.xz
Bug 419014: (CVE-2010-3764) [SECURITY] Old charts are not project specific, and product names are viewable in graphs/
r=wurblzap a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Constants.pm1
-rw-r--r--Bugzilla/Install/Filesystem.pm19
2 files changed, 17 insertions, 3 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 4ca04c478..9a0f6cd2e 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -623,6 +623,7 @@ sub bz_locations {
'datadir' => $datadir,
'attachdir' => "$datadir/attachments",
'skinsdir' => "$libpath/skins",
+ 'graphsdir' => "$libpath/graphs",
# $webdotdir must be in the web server's tree somewhere. Even if you use a
# local dot, we output images to there. Also, if $webdotdir is
# not relative to the bugzilla root directory, you'll need to
diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 42f292b6d..0bad63708 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -122,6 +122,7 @@ sub FILESYSTEM {
my $skinsdir = bz_locations()->{'skinsdir'};
my $localconfig = bz_locations()->{'localconfig'};
my $template_cache = bz_locations()->{'template_cache'};
+ my $graphsdir = bz_locations()->{'graphsdir'};
# We want to set the permissions the same for all localconfig files
# across all PROJECTs, so we do something special with $localconfig,
@@ -197,7 +198,7 @@ sub FILESYSTEM {
dirs => DIR_CGI_WRITE },
$webdotdir => { files => WS_SERVE,
dirs => DIR_CGI_WRITE | DIR_ALSO_WS_SERVE },
- graphs => { files => WS_SERVE,
+ $graphsdir => { files => WS_SERVE,
dirs => DIR_CGI_WRITE | DIR_ALSO_WS_SERVE },
"$datadir/db" => { files => CGI_WRITE,
dirs => DIR_CGI_WRITE },
@@ -269,7 +270,7 @@ sub FILESYSTEM {
# Directories that cgi scripts can write to.
"$datadir/db" => DIR_CGI_WRITE,
$attachdir => DIR_CGI_WRITE,
- graphs => DIR_CGI_WRITE | DIR_ALSO_WS_SERVE,
+ $graphsdir => DIR_CGI_WRITE | DIR_ALSO_WS_SERVE,
$webdotdir => DIR_CGI_WRITE | DIR_ALSO_WS_SERVE,
# Directories that contain content served directly by the web server.
"$skinsdir/custom" => DIR_WS_SERVE,
@@ -331,6 +332,17 @@ EOT
"$datadir/.htaccess" => { perms => WS_SERVE,
contents => HT_DEFAULT_DENY },
+ "$graphsdir/.htaccess" => { perms => WS_SERVE, contents => <<EOT
+# Allow access to .png and .gif files.
+<FilesMatch (\\.gif|\\.png)\$>
+ Allow from all
+</FilesMatch>
+
+# And no directory listings, either.
+Deny from all
+EOT
+ },
+
"$webdotdir/.htaccess" => { perms => WS_SERVE, contents => <<EOT
# Restrict access to .dot files to the public webdot server at research.att.com
# if research.att.com ever changes their IP, or if you use a different
@@ -373,10 +385,11 @@ sub update_filesystem {
my %files = %{$fs->{create_files}};
my $datadir = bz_locations->{'datadir'};
+ my $graphsdir = bz_locations->{'graphsdir'};
# If the graphs/ directory doesn't exist, we're upgrading from
# a version old enough that we need to update the $datadir/mining
# format.
- if (-d "$datadir/mining" && !-d 'graphs') {
+ if (-d "$datadir/mining" && !-d $graphsdir) {
_update_old_charts($datadir);
}