Bug#319397: marked as done (httpd.conf: Files default directive should deny more odd filenames)

To: Marco Rodrigues <gothicx@gmail.com>
Subject: Bug#319397: marked as done (httpd.conf: Files default directive should deny more odd filenames)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 27 Mar 2010 15:03:07 +0000
Message-id: <[🔎] handler.319397.D319397.12697021057043.ackdone@bugs.debian.org>
References: <20100324203039.90A89311D@kmos.homeip.net> <20050721185416.DA2DE3CC00E@tigger.sf.gildea.net>

Your message dated Wed, 24 Mar 2010 20:30:39 +0000 (WET)
with message-id <20100324203039.90A89311D@kmos.homeip.net>
and subject line Package apache-common has been removed from Debian
has caused the Debian Bug report #319397,
regarding httpd.conf: Files default directive should deny more odd filenames
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
319397: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319397
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: httpd.conf: Files default directive should deny more odd filenames
From: Stephen Gildea <gildea@stop.mail-abuse.org>
Date: Thu, 21 Jul 2005 11:54:16 -0700
Message-id: <20050721185416.DA2DE3CC00E@tigger.sf.gildea.net>

Package: apache-common
Version: 1.3.33-6
Tags: patch

The default Debian /etc/apache/httpd.conf uses a Files directive to deny
access to .htaccess files.  But there are many other filename patterns
that, should they be found in the web tree, should also be denied.

The Files directive currently looks like this:

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

The appended patch changes the first line to this:

<Files ~ "^\.|^_|RCS|CVS|,|~|#">

Here's what the new patterns are intended to match:

 .* is for .htaccess, .htpasswd, .svn, Emacs locks, etc.
 _* is for _vti_* and other FrontPage files.
 , is for RCS files and some backup files.
 ~ is for Emacs backup files.
 # is for Emacs lock files and backup files.

Now you may say that all the patterns added by this patch match files
that do not need to be under the web document root and therefore
shouldn't be.  However, I'm sure we've all seen the misconfigured sites
and packages that install extraneous files in the web tree.  The default
Apache configuration should protect sites from such mistakes.  (And in
the unlikely event that someone intends some such oddly-named file to be
served, they can change http.conf.)

This same suggestion applies to apache2.conf in apache2-common 2.0.54-4.

 < Stephen


--- apache-1.3.33/debian/pkgtemplates/flavours.httpd.conf	2005-06-28 23:48:15.000000000 -0700
+++ debian/pkgtemplates/flavours.httpd.conf	2005-06-29 00:56:26.000000000 -0700
@@ -395,17 +395,25 @@
 AccessFileName .htaccess
 
 #
-# The following lines prevent .htaccess files from being viewed by
-# Web clients.  Since .htaccess files often contain authorization
-# information, access is disallowed for security reasons.  Comment
-# these lines out if you want Web visitors to see the contents of
-# .htaccess files.  If you change the AccessFileName directive above,
-# be sure to make the corresponding changes here.
+# The following lines prevent Web clients from viewing .htaccess files
+# and other "control" files that are probably not part of the intended
+# web content.  (Comment these lines out if you want Web visitors to
+# see the contents of .htaccess files or other matching files.)  If
+# you change the AccessFileName directive above, be sure to make any
+# necessary corresponding change here.
+#
+# This directive also denies access to files that look like they might
+# be unintentional if they are found under the DocumentRoot.  These
+# files probably shouldn't be under the DocumentRoot at all, but many
+# sites are mis-configured, so include them in the default deny pattern.
+#
+# .* catches .htaccess, .htpasswd, .svn, Emacs locks, etc.
+# _* catches _vti_* and other FrontPage files.
+# , catches RCS files and some backup files.
+# ~ catches Emacs backup files.
+# # catches Emacs lock files and backup files.
 #
-# Also, folks tend to use names such as .htpasswd for password
-# files, so this will protect those as well.
-#
-<Files ~ "^\.ht">
+<Files ~ "^\.|^_|RCS|CVS|,|~|#">
     Order allow,deny
     Deny from all
 </Files>

--- End Message ---

--- Begin Message ---

To: 319397-done@bugs.debian.org

Subject: Package apache-common has been removed from Debian

From: Marco Rodrigues <gothicx@gmail.com>

Date: Wed, 24 Mar 2010 20:30:39 +0000 (WET)

Message-id: <20100324203039.90A89311D@kmos.homeip.net>
Version: 1.3.34-4.1+rm

You filed the bug http://bugs.debian.org/319397 in Debian BTS
against the package apache-common. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/418266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues
--- End Message ---

Reply to:

Prev by Date: Bug#317003: marked as done (libapache-mod-gzip, libapache-mod-dav and apache-ssl fail to install)
Next by Date: Bug#353149: marked as done (apache-ssl: Installation fails generating certificate)
Previous by thread: Bug#317003: marked as done (libapache-mod-gzip, libapache-mod-dav and apache-ssl fail to install)
Next by thread: Bug#353149: marked as done (apache-ssl: Installation fails generating certificate)
Index(es):
- Date
- Thread