[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Martin Renvoize changed: What|Removed |Added Blocks||28236 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28236 [Bug 28236] Selecting database columns for system preferences in standard and dev installs is broken -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|NEW |ASSIGNED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|Signed Off |Passed QA -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|ASSIGNED|Needs Signoff -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|Passed QA |Pushed to Master -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 --- Comment #17 from Galen Charlton gmcha...@gmail.com --- I just noticed that due to an apparent timing issue, this patch was never actually reverted from master. I'm going to run with leaving it in, as I have a patch series in progress in bug 10592 that fixes the value_builder and favicon issues. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|Passed QA |In Discussion Severity|blocker |normal --- Comment #16 from Galen Charlton gmcha...@gmail.com --- (In reply to comment #13) Just a *dumb* question: But why should these open source files -- by no means :) -- be exposed through the browser? Much of this stuff will be from the standard install, available online elsewhere. Some small customizations are probably not of a to be hidden nature. The larger custom work that for some reason should not be public (pity btw! we encourage to submit patches) can be hidden by a pro :) Not in any way wanting to discourage your sending of patches! Well, the motivation isn't to hide code or customizations per se, it's to reduce the risk that the webserver could be made to send out sensitive configuration information, e.g., DB passwords or the like. In this specific case, there isn't anything (to my knowledge) in modules, xslt, and includes that would be useful to an attacker, although I could certainly see a customizer getting lazy and (say) hardcoding credentials into a template. The upshot is that I see this patch as a useful direction to be thinking towards, and I'm not opposed to pushing it (once Tomás' concerns are addressed), but I think even better would be to move Since the revert is done, I'm setting this one to in discussion. I'm also setting the the criticality back to 'normal'. If there is a *specific* security issue that warrants blocker status, please let me know. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|In Discussion |ASSIGNED -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Galen Charlton gmcha...@gmail.com changed: What|Removed |Added Status|ASSIGNED|NEW -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|Pushed to Master|Pushed to Stable --- Comment #10 from Chris Cormack ch...@bigballofwax.co.nz --- Pushed to 3.10.x and 3.8.x will be in 3.10.6 and 3.8.13 -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Jared Camins-Esakov jcam...@cpbibliography.com changed: What|Removed |Added Status|Passed QA |Pushed to Master --- Comment #9 from Jared Camins-Esakov jcam...@cpbibliography.com --- This patch has been pushed to master and 3.12.x. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Jonathan Druart jonathan.dru...@biblibre.com changed: What|Removed |Added Status|Signed Off |Passed QA CC||jonathan.dru...@biblibre.co ||m QA Contact||jonathan.dru...@biblibre.co ||m --- Comment #7 from Jonathan Druart jonathan.dru...@biblibre.com --- QA comment: Tested on an existing install, it works great. I didn't find any reason not to pass qa this patch. Marked as Passed QA. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Jonathan Druart jonathan.dru...@biblibre.com changed: What|Removed |Added Attachment #17090|0 |1 is obsolete|| --- Comment #8 from Jonathan Druart jonathan.dru...@biblibre.com --- Created attachment 17166 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17166action=edit Bug 9812 - Forbid access to several files through the browser This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser. Specifically xlst, modules and includes dirs and its contents. This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed. Signed-off-by: Chris Cormack chr...@catalyst.net.nz Signed-off-by: Jonathan Druart jonathan.dru...@biblibre.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added CC||ch...@bigballofwax.co.nz -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Status|Needs Signoff |Signed Off -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Chris Cormack ch...@bigballofwax.co.nz changed: What|Removed |Added Attachment #16098|0 |1 is obsolete|| --- Comment #6 from Chris Cormack ch...@bigballofwax.co.nz --- Created attachment 17090 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=17090action=edit Bug 9812 - Forbid access to several files through the browser This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser. Specifically xlst, modules and includes dirs and its contents. This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed. Signed-off-by: Chris Cormack chr...@catalyst.net.nz -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Dobrica Pavlinusic dpav...@rot13.org changed: What|Removed |Added CC||dpav...@rot13.org -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Owen Leonard oleon...@myacpl.org changed: What|Removed |Added Assignee|gmcha...@gmail.com |tomasco...@gmail.com -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Paul A pau...@aandc.org changed: What|Removed |Added CC||pau...@aandc.org --- Comment #3 from Paul A pau...@aandc.org --- Validated on my sandbox (Koha 3.8.5, Ubuntu 12.04.2 LTS), but note I'm not sure of the role of /etc/koha-httpd.conf (upgrades, etc?) as for every tarball install of Koha that I've ever done, I prefer etc/apache2/{whatever_file[s]}. This requires: service apache2 reload /etc/init.d/apache2 restart I'm also not sure why memcached is mentioned in the patch; the relevant SetEnv directives probably don't need to be touched. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 --- Comment #4 from Tomás Cohen Arazi tomasco...@gmail.com --- (In reply to comment #3) Validated on my sandbox (Koha 3.8.5, Ubuntu 12.04.2 LTS), but note I'm not sure of the role of /etc/koha-httpd.conf (upgrades, etc?) as for every tarball install of Koha that I've ever done, I prefer etc/apache2/{whatever_file[s]}. This requires: service apache2 reload /etc/init.d/apache2 restart I'm glad it worked for you. I'm also not sure why memcached is mentioned in the patch; the relevant SetEnv directives probably don't need to be touched. They remain untouched, don't worry. The only modified lines are those that start with a plus (+) symbol. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 --- Comment #5 from Paul A pau...@aandc.org --- (In reply to comment #4) (In reply to comment #3) Validated on my sandbox (Koha 3.8.5, Ubuntu 12.04.2 LTS), but note I'm not sure of the role of /etc/koha-httpd.conf (upgrades, etc?) as for every tarball install of Koha that I've ever done, I prefer etc/apache2/{whatever_file[s]}. This requires: service apache2 reload /etc/init.d/apache2 restart I'm glad it worked for you. In fact, this only was tested on our 64-bit sandbox - our production server uses a slightly different approach (less elegant. A wider 'deny', then specific 'allows'), with the same result. I'll probably update production at next scheduled maintenance. I'm also not sure why memcached is mentioned in the patch; the relevant SetEnv directives probably don't need to be touched. They remain untouched, don't worry. The only modified lines are those that start with a plus (+) symbol. My bad - read it too quickly - but of course did not modify our memcached directives. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 --- Comment #1 from Tomás Cohen Arazi tomasco...@gmail.com --- Created attachment 16098 -- http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=16098action=edit Bug 9812 - Forbid access to several files through the browser This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser. Specifically xlst, modules and includes dirs and its contents. This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed. -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 Tomás Cohen Arazi tomasco...@gmail.com changed: What|Removed |Added Status|NEW |Needs Signoff Patch complexity|--- |Trivial patch Change sponsored?|--- |Sponsored -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
[Koha-bugs] [Bug 9812] Several files shouldn't be exposed or browseable through a URL
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=9812 --- Comment #2 from Tomás Cohen Arazi tomasco...@gmail.com --- Test plan = - Install Koha from master - Go there in your browser: http://YOUR_DEV_KOHA_OPAC_FQDN/opac-tmpl/prog/en/ - You should be able to browse every dir in the templates dir - Apply the patch and reinstall using $ perl Makefile.PL --prev-install-log ~/path/to/koha-install-log - Retry, you shouldn't be able to browse or access any files in this dirs: * modules * xslt * includes For your convenience this paths should be valid for testing: /opac-tmpl/prog/en/modules/kohaerror.tt /opac-tmpl/prog/en/includes/usermenu.inc /opac-tmpl/prog/en/xslt/MARC21slim2OPACDetail.xsl /opac-tmpl/ccsr/en/includes/doc-head-close.inc This should do it for the staff client too, but... its too much work for such a trivial patch! -- You are receiving this mail because: You are watching all bug changes. ___ Koha-bugs mailing list Koha-bugs@lists.koha-community.org http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/