diff options
| author | justdave%syndicomm.com <> | 2001-07-22 14:23:33 +0200 |
|---|---|---|
| committer | justdave%syndicomm.com <> | 2001-07-22 14:23:33 +0200 |
| commit | 4ce389f3a363ec9131a8e5cdbb34557e164f7b3f (patch) | |
| tree | fd7f1d7db40dbbacc4804574063d7e1376696356 /checksetup.pl | |
| parent | f46708889f65a325a08f048a15bc5c072fa7f6f6 (diff) | |
| download | bugzilla-4ce389f3a363ec9131a8e5cdbb34557e164f7b3f.tar.gz bugzilla-4ce389f3a363ec9131a8e5cdbb34557e164f7b3f.tar.xz | |
Fix for bug 76154: Bugzilla can now optionally provide .htaccess files for Apache to help restrict viewing of private data
Patch by Dave Miller <justdave@syndicomm.com>
r= jake@acutex.net
Diffstat (limited to 'checksetup.pl')
| -rwxr-xr-x | checksetup.pl | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/checksetup.pl b/checksetup.pl index bcbebff6d..b0f293b61 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -282,6 +282,20 @@ sub LocalVar ($$) # Set up the defaults for the --LOCAL-- variables below: # +LocalVar('create_htaccess', <<'END'); +# +# If you are using Apache for your web server, Bugzilla can create .htaccess +# files for you that will instruct Apache not to serve files that shouldn't +# be accessed from the web (like your local configuration data and non-cgi +# executable files). For this to work, the directory your Bugzilla +# installation is in must be within the jurisdiction of a <Directory> block +# in the httpd.conf file that has 'AllowOverride Limit' in it. If it has +# 'AllowOverride All' or other options with Limit, that's fine. +# If this is set to 1, Bugzilla will create these files if they don't exist. +# If this is set to 0, Bugzilla will not create these files. +$create_htaccess = 1; +END + LocalVar('webservergroup', ' # @@ -435,6 +449,7 @@ my $my_db_port = ${*{$main::{'db_port'}}{SCALAR}}; my $my_db_name = ${*{$main::{'db_name'}}{SCALAR}}; my $my_db_user = ${*{$main::{'db_user'}}{SCALAR}}; my $my_db_pass = ${*{$main::{'db_pass'}}{SCALAR}}; +my $my_create_htaccess = ${*{$main::{'create_htaccess'}}{SCALAR}}; my $my_webservergroup = ${*{$main::{'webservergroup'}}{SCALAR}}; my @my_severities = @{*{$main::{'severities'}}{ARRAY}}; my @my_priorities = @{*{$main::{'priorities'}}{ARRAY}}; @@ -542,6 +557,62 @@ unless (-d 'graphs') { } } +if ($my_create_htaccess) { + my $fileperm = 0644; + my $dirperm = 01777; + if ($my_webservergroup) { + $fileperm = 0640; + $dirperm = 0770; + } + if (!-e ".htaccess") { + print "Creating .htaccess...\n"; + open HTACCESS, ">.htaccess"; + print HTACCESS <<'END'; +# don't allow people to retrieve non-cgi executable files or our private data +<FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$> + deny from all +</FilesMatch> +END + close HTACCESS; + chmod $fileperm, ".htaccess"; + } + if (!-e "data/.htaccess") { + print "Creating data/.htaccess...\n"; + open HTACCESS, ">data/.htaccess"; + print HTACCESS <<'END'; +# nothing in this directory is retrievable unless overriden by an .htaccess +# in a subdirectory +deny from all +END + close HTACCESS; + chmod $fileperm, "data/.htaccess"; + } + if (!-e "data/webdot/.htaccess") { + if (!-d "data/webdot") { + mkdir "data/webdot", $dirperm; + chmod $dirperm, "data/webdot"; # the perms on mkdir don't seem to apply for some reason... + } + print "Creating data/webdot/.htaccess...\n"; + open HTACCESS, ">data/webdot/.htaccess"; + print HTACCESS <<'END'; +# Allow access to nothing in this directory except for .dot files +# and don't allow access to those to anyone except research.att.com +# if research.att.com ever changed their IP, or if you use a different +# webdot server, you'll need to edit this +<FilesMatch ^[0-9]+\.dot$> + Allow from 192.20.225.10 + Deny from all +</FilesMatch> + +# And no directory listings, either. +Deny from all +END + close HTACCESS; + chmod $fileperm, "data/webdot/.htaccess"; + } + +} + # Just to be sure ... unlink "data/versioncache"; |