Bug 785511: Prevent directory browsing, especially in docs/ and extensions/

r=dkl a=LpSolit

diff --git a/.htaccess b/.htaccess
index 4b06fe9a9c1ad68343cb20b953c132f5f4249397..27f478afdaf91f033717a0a9f786c0340dd263f2 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -2,6 +2,9 @@
 <FilesMatch ^(.*\.pm|.*\.pl|.*localconfig.*)$>
   deny from all
 </FilesMatch>
+
+Options -Indexes
+
 <IfModule mod_expires.c>
 <IfModule mod_headers.c>
 <IfModule mod_env.c>

diff --git a/docs/en/xml/installation.xml b/docs/en/xml/installation.xml
index 8c5c29b8e8fa64dd40d2517dc4d825129134ac71..18de454b9f426a6a8c91bdfd88e82feaae723459 100644 (file)
--- a/docs/en/xml/installation.xml
+++ b/docs/en/xml/installation.xml
@@ -1056,19 +1056,20 @@ SetEnv LD_LIBRARY_PATH /u01/app/oracle/product/10.2.0/lib/
                 <programlisting>
 &lt;Directory /var/www/html/bugzilla&gt;
 AddHandler cgi-script .cgi
-Options +Indexes +ExecCGI
-DirectoryIndex index.cgi
-AllowOverride Limit FileInfo Indexes
+Options +ExecCGI
+DirectoryIndex index.cgi index.html
+AllowOverride Limit FileInfo Indexes Options
 &lt;/Directory&gt;
                 </programlisting>
     
                 <para>
                 These instructions: allow apache to run .cgi files found
                 within the bugzilla directory; instructs the server to look
-                for a file called <filename>index.cgi</filename> if someone
+                for a file called <filename>index.cgi</filename> or, if not
+                found, <filename>index.html</filename> if someone
                 only types the directory name into the browser; and allows
                 Bugzilla's <filename>.htaccess</filename> files to override
-                global permissions.
+                some global permissions.
                 </para>
     
                 <note>