From 532196b8689286cf4e65b58c98afa95ca910d7ac Mon Sep 17 00:00:00 2001
From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Mon, 1 Feb 2010 13:22:56 -0800
Subject: Bug 314871: (CVE-2009-3989) [SECURITY] Prevent web browsers from
 accessing CVS/, contrib/, docs/, and t/ directories iatch by Max
 Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit

---
 Bugzilla/Install/Filesystem.pm | 79 ++++++++++++++++++++++++++----------------
 1 file changed, 50 insertions(+), 29 deletions(-)

(limited to 'Bugzilla/Install/Filesystem.pm')

diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index c95b2eecb..99f71d989 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -48,6 +48,12 @@ our @EXPORT = qw(
     fix_file_permissions
 );
 
+use constant HT_DEFAULT_DENY => <<EOT;
+# nothing in this directory is retrievable unless overridden by an .htaccess
+# in a subdirectory
+deny from all
+EOT
+
 # This looks like a constant because it effectively is, but
 # it has to call other subroutines and read the current filesystem,
 # so it's defined as a sub. This is not exported, so it doesn't have
@@ -125,7 +131,9 @@ sub FILESYSTEM {
 
         "$localconfig.old" => { perms => $owner_readable },
 
-        'docs/makedocs.pl'   => { perms => $owner_executable },
+        'contrib/README'       => { perms => $owner_readable },
+        'contrib/*/README'     => { perms => $owner_readable },
+        'docs/makedocs.pl'     => { perms => $owner_executable },
         'docs/style.css'       => { perms => $ws_readable },
         'docs/*/rel_notes.txt' => { perms => $ws_readable },
         'docs/*/README.docs'   => { perms => $owner_readable },
@@ -190,6 +198,8 @@ sub FILESYSTEM {
                                      dirs => $owner_dir_readable },
          'docs/*/xml'          => { files => $owner_readable,
                                      dirs => $owner_dir_readable },
+         'contrib'             => { files => $owner_executable,
+                                     dirs => $owner_dir_readable, },
     );
 
     # --- FILES TO CREATE --- #
@@ -256,21 +266,19 @@ EOT
     # Because checksetup controls the .htaccess creation separately
     # by a localconfig variable, these go in a separate variable from
     # %create_files.
-    my $ht_default_deny = <<EOT;
-# nothing in this directory is retrievable unless overridden by an .htaccess
-# in a subdirectory
-deny from all
-EOT
-
     my %htaccess = (
         "$attachdir/.htaccess"       => { perms    => $ws_readable,
-                                          contents => $ht_default_deny },
+                                          contents => HT_DEFAULT_DENY },
         "$libdir/Bugzilla/.htaccess" => { perms    => $ws_readable,
-                                          contents => $ht_default_deny },
+                                          contents => HT_DEFAULT_DENY },
         "$extlib/.htaccess"          => { perms    => $ws_readable,
-                                          contents => $ht_default_deny },
+                                          contents => HT_DEFAULT_DENY },
         "$templatedir/.htaccess"     => { perms    => $ws_readable,
-                                          contents => $ht_default_deny },
+                                          contents => HT_DEFAULT_DENY },
+        'contrib/.htaccess'          => { perms    => $ws_readable,
+                                          contents => HT_DEFAULT_DENY },
+        't/.htaccess'                => { perms    => $ws_readable,
+                                          contents => HT_DEFAULT_DENY },
 
         '.htaccess' => { perms => $ws_readable, contents => <<EOT
 # Don't allow people to retrieve non-cgi executable files or our private data
@@ -592,22 +600,13 @@ sub fix_all_file_permissions {
         _fix_perms($dir, $owner_id, $group_id, $dirs{$dir});
     }
 
-    foreach my $dir (sort keys %recurse_dirs) {
-        next unless -d $dir;
-        # Set permissions on the directory itself.
-        my $perms = $recurse_dirs{$dir};
-        _fix_perms($dir, $owner_id, $group_id, $perms->{dirs});
-        # Now recurse through the directory and set the correct permissions
-        # on subdirectories and files.
-        find({ no_chdir => 1, wanted => sub {
-            my $name = $File::Find::name;
-            if (-d $name) {
-                _fix_perms($name, $owner_id, $group_id, $perms->{dirs});
-            }
-            else {
-                _fix_perms($name, $owner_id, $group_id, $perms->{files});
-            }
-        }}, $dir);
+    foreach my $pattern (sort keys %recurse_dirs) {
+        my $perms = $recurse_dirs{$pattern};
+        # %recurse_dirs supports globs
+        foreach my $dir (glob $pattern) {
+            next unless -d $dir;
+            _fix_perms_recursively($dir, $owner_id, $group_id, $perms);
+        }
     }
 
     foreach my $file (sort keys %files) {
@@ -640,8 +639,13 @@ sub _fix_cvs_dirs {
     find({ no_chdir => 1, wanted => sub {
         my $name = $File::Find::name;
         if ($File::Find::dir =~ /\/CVS/ || $_ eq '.cvsignore'
-            || (-d $name && $_ eq 'CVS')) {
-            _fix_perms($name, $owner_id, $owner_gid, 0700);
+            || (-d $name && $_ =~ /CVS$/)) 
+        {
+            my $perms = 0600;
+            if (-d $name) {
+                $perms = 0700;
+            }
+            _fix_perms($name, $owner_id, $owner_gid, $perms);
         }
     }}, $dir);
 }
@@ -661,6 +665,23 @@ sub _fix_perms {
                                                  error => $! }) . "\n";
 }
 
+sub _fix_perms_recursively {
+    my ($dir, $owner_id, $group_id, $perms) = @_;
+    # Set permissions on the directory itself.
+    _fix_perms($dir, $owner_id, $group_id, $perms->{dirs});
+    # Now recurse through the directory and set the correct permissions
+    # on subdirectories and files.
+    find({ no_chdir => 1, wanted => sub {
+        my $name = $File::Find::name;
+        if (-d $name) {
+            _fix_perms($name, $owner_id, $group_id, $perms->{dirs});
+        }
+        else {
+            _fix_perms($name, $owner_id, $group_id, $perms->{files});
+        }
+    }}, $dir);
+}
+
 sub _check_web_server_group {
     my ($output) = @_;
 
-- 
cgit v1.2.3-24-g4f1b