Bug#715804: Debian policy for web apps still references /doc as accessible
On 07/11/2013 07:06 AM, Charles Plessy wrote:
> user debian-policy@packages.debian.org
> usertags 715804 normative discussion
> thanks
>
> Le Thu, Jul 11, 2013 at 01:24:45AM +0800, Thomas Goirand a écrit :
>> Package: debian-policy
>> Severity: important
>>
>> The Debian policy for web apps still references /doc as accessible
>> through the web (see point 3 of chapter 11.5), though it has been removed
>> for security reasons. The policy should be updated.
>
> Hi Thomas,
>
> basically, what you propose is the following:
>
> diff --git a/policy.sgml b/policy.sgml
> index 1508231..2651a1a 100644
> --- a/policy.sgml
> +++ b/policy.sgml
> @@ -9668,27 +9668,6 @@ http://localhost/cgi-bin/<var>cgi-bin-name</var>
> before <var>cgi-bin-name</var>).
> </item>
>
> - <item>
> - <p>Access to HTML documents</p>
> -
> - <p>
> - HTML documents for a package are stored in
> - <file>/usr/share/doc/<var>package</var></file>
> - and can be referred to as
> - <example compact="compact">
> -http://localhost/doc/<var>package</var>/<var>filename</var>
> - </example>
> - </p>
> -
> - <p>
> - The web server should restrict access to the document
> - tree so that only clients on the same host can read
> - the documents. If the web server does not support such
> - access controls, then it should not provide access at
> - all, or ask about providing access during installation.
> - </p>
> - </item>
> -
> <item>
> <p>Access to images</p>
> <p>
>
>
> I note that /doc was only to be served locally. How did that cause security
> issues ?
See David's reply, which is good.
> Anyway, if the webservers that we distribute have dropped that functionality
> (can you confirm that it is not just apache2 ?), then I also support adjusting
> the Policy accordingly.
I confirm. If others didn't, then it's a RC bug with tags: security.
I agree with the removal, though I would also add a quick note saying
that we *used* to have access to /doc with web servers on localhost, but
it was removed, with a link to
http://www.debian.org/security/2012/dsa-2452. Something like:
<p>
HTML documents must not refer anymore to documents using <example
compact="compact">http://localhost/doc/<var>package</var>/<var>filename</var></example>
since this functionality was removed due to security problems (see:
http://www.debian.org/security/2012/dsa-2452). Moreover, web servers
must not provide direct access to /usr/share/doc anymore, even from
localhost only.
</p>
Thomas Goirand (zigo)
Reply to: