From: Reed Loden Date: Mon, 1 Feb 2010 21:27:56 +0000 (-0800) Subject: Bug 434801: [SECURITY] .htaccess doesn't prevent reading old-params.txt from the web X-Git-Tag: bugzilla-3.4.5~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=161adb2a777dccc6c16ca7ca2d11b562b9fc752d;p=thirdparty%2Fbugzilla.git Bug 434801: [SECURITY] .htaccess doesn't prevent reading old-params.txt from the web Patch by Reed Loden r=mkanat a=LpSolit --- diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm index 14f10bed98..5202146644 100644 --- a/Bugzilla/Config.pm +++ b/Bugzilla/Config.pm @@ -212,7 +212,7 @@ sub update_params { # --- REMOVE OLD PARAMS --- my %oldparams; - # Remove any old params, put them in old-params.txt + # Remove any old params foreach my $item (keys %$param) { if (!grep($_ eq $item, map ($_->{'name'}, @param_list))) { $oldparams{$item} = $param->{$item}; @@ -220,13 +220,16 @@ sub update_params { } } + # Write any old parameters to old-params.txt + my $datadir = bz_locations()->{'datadir'}; + my $old_param_file = "$datadir/old-params.txt"; if (scalar(keys %oldparams)) { - my $op_file = new IO::File('old-params.txt', '>>', 0600) - || die "old-params.txt: $!"; + my $op_file = new IO::File($old_param_file, '>>', 0600) + || die "Couldn't create $old_param_file: $!"; print "The following parameters are no longer used in Bugzilla,", " and so have been\nmoved from your parameters file into", - " old-params.txt:\n"; + " $old_param_file:\n"; local $Data::Dumper::Terse = 1; local $Data::Dumper::Indent = 0; diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm index 30577ae9f0..b8f07e7a33 100644 --- a/Bugzilla/Install/Filesystem.pm +++ b/Bugzilla/Install/Filesystem.pm @@ -135,6 +135,7 @@ sub FILESYSTEM { 'docs/*/README.docs' => { perms => $owner_readable }, "$datadir/bugzilla-update.xml" => { perms => $ws_writeable }, "$datadir/params" => { perms => $ws_writeable }, + "$datadir/old-params.txt" => { perms => $owner_readable }, ); # Directories that we want to set the perms on, but not @@ -364,6 +365,12 @@ sub update_filesystem { _rename_file($testfile, "$testfile.old"); } + # If old-params.txt exists in the root directory, move it to datadir. + my $oldparamsfile = "old_params.txt"; + if (-e $oldparamsfile) { + _rename_file($oldparamsfile, "$datadir/$oldparamsfile"); + } + _create_files(%files); if ($params->{index_html}) { _create_files(%{$fs->{index_html}});