Opened 18 years ago

Last modified 6 years ago

#7277 reopened defect

apache2, apache20, apache: Protect .ht* and .DS_Store files case-insensitively

Reported by: ryandesign (Ryan Carsten Schmidt) Owned by: macports-tickets@…
Priority: High Milestone:
Component: ports Version:
Keywords: Cc: nox@…, blair (Blair Zajac), cooljeanius (Eric Gallager), Schamschula (Marius Schamschula), pixilla (Bradley Giesbrecht)
Port: apache2, apache20, apache

Description (last modified by jmpp@…)

By default the apache2 port installs an httpd.conf containing this section which is supposed to prevent malicious users from reading the contents of .htaccess or .htpasswd files:

# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
</FilesMatch>

This is insufficient on file systems which are case insensitive, such as Mac OS X's default HFS+ file system. Mac OS X also has other files and directories inside each directory which must not be made accessible to web visitors. See Apple's knowledge base article:

http://docs.info.apple.com/article.html?artnum=300422

The updated rules provided in that knowledge base article should be patched into the default httpd.conf file provided through darwinports so that users are by default protected from this problem.

Someone should also examine the apache 1 port to see if it suffers from the same problem, and patch it too if necessary (possibly creating a separate bug report if necessary).

This issue is related a bit to bug #803.

Attachments (1)

apache2.diff (3.2 KB) - added by ryandesign (Ryan Carsten Schmidt) 16 years ago.

Download all attachments as: .zip

Change History (16)

comment:1 Changed 17 years ago by nox@…

Cc: nox@… added
Milestone: Port Bugs
Priority: ExpectedHigh
Version: 1.2

As this is a security issue, I've set the priority to High

comment:2 Changed 16 years ago by nox@…

Cc: ryandesign@… added
Owner: changed from james@… to imajes@…

Maybe we should fix it without James approval? That's a security issue.

comment:3 Changed 16 years ago by jmpp@…

Description: modified (diff)

comment:4 Changed 16 years ago by imajes@…

now that this has been bumped up a bit it's on my radar... i'll try attack it this weekend.

anyone who wants to submit a patch is welcome- i'll apply if i get one.

comment:5 Changed 16 years ago by ryandesign (Ryan Carsten Schmidt)

This patch fixes the issue like kbase article 300422 says we should and therefore also increases the port revision.

Also changing the fix for #7273 (r17933) from reinplaces to a patchfile. This is better because we get no notification if a reinplace ever fails, but we do if a patchfile fails.

Also making the changing of the user and group under which the server runs a patchfile again instead of a reinplace (undoing this change from r33568). It really has no business being a reinplace. This is a job for a patchfile. Also, this seems to be Mac OS X-specific, so it's going into the platform darwin section.

To apply this patch please do this:

cd `port dir apache2`
svn mkdir files
svn cp -r 33567 http://svn.macosforge.org/repository/macports/trunk/dports/www/apache2/files/patch-httpd-std.conf.in files/patch-httpd.conf.in.diff
patch -p0 < ~/Desktop/apache2.diff
svn add files/patch-httpd-userdir.conf.in.diff

Changed 16 years ago by ryandesign (Ryan Carsten Schmidt)

Attachment: apache2.diff added

comment:6 Changed 15 years ago by nox@…

this ticket is a security issue and should be taken care of.

comment:7 Changed 15 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: ryandesign@… removed
Port: apache2 apache20 apache added
Reporter: changed from opendarwin-2006@… to ryandesign@…

comment:8 Changed 15 years ago by nox@…

Resolution: fixed
Status: newclosed

Fixed in r41709, see #17078.

comment:9 Changed 15 years ago by (none)

Milestone: Port Bugs

Milestone Port Bugs deleted

comment:10 in reply to:  8 ; Changed 15 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: blair@… added
Resolution: fixed
Status: closedreopened
Summary: Protect .ht* files case insensitively by default (apache2 port)apache2, apache20, apache: Protect .ht* and .DS_Store files case-insensitively

Replying to nox@…:

Fixed in r41709, see #17078.

The patch-httpd.conf.in-sensitive-files.diff committed in r41709 differs by one character from the version I submitted here, with the unfortunate effect that .htaccess, .htpasswd and .DS_Store files are not in fact protected at all. Fixed in r56572.

Reopening ticket because the apache20 and apache ports have not yet been touched for this issue. Blair maintains apache20; I maintain apache.

comment:11 in reply to:  10 Changed 15 years ago by ryandesign (Ryan Carsten Schmidt)

Replying to ryandesign@…:

The patch-httpd.conf.in-sensitive-files.diff committed in r41709 differs by one character from the version I submitted here

I take it back -- it differs quite a lot, including an additional difference to how the namedfork protection works. In r56574 I replaced the patch with the one I originally submitted here, because that version of the directives is taken directly from the Apple knowledge base article.

comment:12 Changed 14 years ago by ryandesign (Ryan Carsten Schmidt)

Owner: changed from imajes@… to macports-tickets@…

James Cox (imajes) retires as MacPorts maintainer (see macports-mgr archives)

comment:21 Changed 11 years ago by cooljeanius (Eric Gallager)

This issue is related a bit to bug #803.

#803 is now #38461, which was opened because of #38452.

comment:22 Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: egall@… added

comment:23 Changed 6 years ago by jmroot (Joshua Root)

Cc: Schamschula pixilla added
Note: See TracTickets for help on using tickets.