# don't allow people to retrieve non-cgi executable files or our private data
-<FilesMatch ^(.*\.pl|.*localconfig.*|processmail|runtests.sh)$>
+<FilesMatch ^(.*\.pl|.*localconfig.*|runtests.sh)$>
deny from all
</FilesMatch>
<FilesMatch ^(localconfig.js|localconfig.rdf)$>
@@ -446,8 +446,8 @@ CLASS="filename"
>data
directory are secured as described in Section 5.6Section 5.6.4.
ns_register_filter preauth GET /bugzilla/localconfig filter_deny
+ns_register_filter preauth GET /bugzilla/localconfig~ filter_deny
+ns_register_filter preauth GET /bugzilla/\#localconfig\# filter_deny
ns_register_filter preauth GET /bugzilla/*.pl filter_deny
-ns_register_filter preauth GET /bugzilla/localconfig filter_deny
-ns_register_filter preauth GET /bugzilla/processmail filter_deny
ns_register_filter preauth GET /bugzilla/syncshadowdb filter_deny
ns_register_filter preauth GET /bugzilla/runtests.sh filter_deny
-
+ns_register_filter preauth GET /bugzilla/data/* filter_deny
+ns_register_filter preauth GET /bugzilla/template/* filter_deny
+
proc filter_deny { why } {
ns_log Notice "filter_deny"
return "filter_return"
@@ -545,31 +547,84 @@ ALT="Warning">This doesn't appear to account for everything mentioned in - Section 5.6. In particular, it doesn't block access - to the data or +>This probably doesn't account for all possible editor backup + files so you may wish to add some additional variations of template directories. It also - doesn't account for the editor backup files that were the topic of +>localconfig. For more information, see bug 186383, or Bugtraq ID 6501. +
If you are using webdot from research.att.com (the default + configuration for the webdotbase paramater), you + will need to allow access to data/webdot/*.dot + for the reasearch.att.com machine. + If you are using a local installation of GraphViz, you will need to allow + everybody to access *.png, - and a partial cause for the 2.16.2 release. + *.gif, *.jpg, and + *.map in the + data/webdot directory. |