On 07/11/2013 07:06 AM, Charles Plessy wrote: > user [email protected] > usertags 715804 normative discussion > thanks > > Le Thu, Jul 11, 2013 at 01:24:45AM +0800, Thomas Goirand a écrit : >> Package: debian-policy >> Severity: important >> >> The Debian policy for web apps still references /doc as accessible >> through the web (see point 3 of chapter 11.5), though it has been removed >> for security reasons. The policy should be updated. > > Hi Thomas, > > basically, what you propose is the following: > > diff --git a/policy.sgml b/policy.sgml > index 1508231..2651a1a 100644 > --- a/policy.sgml > +++ b/policy.sgml > @@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var> > before <var>cgi-bin-name</var>). > </item> > > - <item> > - <p>Access to HTML documents</p> > - > - <p> > - HTML documents for a package are stored in > - <file>/usr/share/doc/<var>package</var></file> > - and can be referred to as > - <example compact="compact"> > -http://localhost/doc/<var>package</var>/<var>filename</var> > - </example> > - </p> > - > - <p> > - The web server should restrict access to the document > - tree so that only clients on the same host can read > - the documents. If the web server does not support such > - access controls, then it should not provide access at > - all, or ask about providing access during installation. > - </p> > - </item> > - > <item> > <p>Access to images</p> > <p> > > > I note that /doc was only to be served locally. How did that cause security > issues ?
See David's reply, which is good. > Anyway, if the webservers that we distribute have dropped that functionality > (can you confirm that it is not just apache2 ?), then I also support adjusting > the Policy accordingly. I confirm. If others didn't, then it's a RC bug with tags: security. I agree with the removal, though I would also add a quick note saying that we *used* to have access to /doc with web servers on localhost, but it was removed, with a link to http://www.debian.org/security/2012/dsa-2452. Something like: <p> HTML documents must not refer anymore to documents using <example compact="compact">http://localhost/doc/<var>package</var>/<var>filename</var></example> since this functionality was removed due to security problems (see: http://www.debian.org/security/2012/dsa-2452). Moreover, web servers must not provide direct access to /usr/share/doc anymore, even from localhost only. </p> Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
