[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#715804: Debian policy for web apps still references /doc as accessible

On 07/11/2013 07:06 AM, Charles Plessy wrote:
> user debian-policy@packages.debian.org
> usertags 715804 normative discussion
> thanks
> 
> Le Thu, Jul 11, 2013 at 01:24:45AM +0800, Thomas Goirand a écrit :
>> Package: debian-policy
>> Severity: important
>>
>> The Debian policy for web apps still references /doc as accessible
>> through the web (see point 3 of chapter 11.5), though it has been removed
>> for security reasons. The policy should be updated.
> 
> Hi Thomas,
> 
> basically, what you propose is the following:
> 
> diff --git a/policy.sgml b/policy.sgml
> index 1508231..2651a1a 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var>
>                 before <var>cgi-bin-name</var>).
>             </item>
>  
> -           <item>
> -             <p>Access to HTML documents</p>
> -
> -             <p>
> -               HTML documents for a package are stored in
> -                <file>/usr/share/doc/<var>package</var></file>
> -               and can be referred to as
> -               <example compact="compact">
> -http://localhost/doc/<var>package</var>/<var>filename</var>
> -               </example>
> -             </p>
> -
> -             <p>
> -                The web server should restrict access to the document
> -                tree so that only clients on the same host can read
> -                the documents. If the web server does not support such
> -                access controls, then it should not provide access at
> -                all, or ask about providing access during installation.
> -             </p>
> -           </item>
> -
>              <item>
>                <p>Access to images</p>
>                <p>
> 
> 
> I note that /doc was only to be served locally.  How did that cause security
> issues ?

See David's reply, which is good.

> Anyway, if the webservers that we distribute have dropped that functionality
> (can you confirm that it is not just apache2 ?), then I also support adjusting
> the Policy accordingly.

I confirm. If others didn't, then it's a RC bug with tags: security.

I agree with the removal, though I would also add a quick note saying
that we *used* to have access to /doc with web servers on localhost, but
it was removed, with a link to
http://www.debian.org/security/2012/dsa-2452. Something like:

<p>
HTML documents must not refer anymore to documents using <example
compact="compact">http://localhost/doc/<var>package</var>/<var>filename</var></example>
since this functionality was removed due to security problems (see:
http://www.debian.org/security/2012/dsa-2452). Moreover, web servers
must not provide direct access to /usr/share/doc anymore, even from
localhost only.
</p>

Thomas Goirand (zigo)
Reply to: