[Fusionforge-commits] FusionForge branch Branch_5_2 updated. 30f80503efbfb68c3915ef968c5215ab203d8118

Sylvain Beucler beuc-inria at fusionforge.org
Mon Mar 31 12:06:47 CEST 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".

The branch, Branch_5_2 has been updated
       via  30f80503efbfb68c3915ef968c5215ab203d8118 (commit)
      from  63482cd970e1aec34b669c9b4e8b05008a60bb2a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 30f80503efbfb68c3915ef968c5215ab203d8118
Author: Thorsten Glaser <t.glaser at tarent.de>
Date:   Thu Mar 27 18:55:09 2014 +0100

    tighten permission on /anonscm/ web subdirectory
    
    Addresses: CVE-2014-0468
    Found by: Sylvain Beucler
    Fixes by: Sylvain Beucler, Roland Mas, me
    
    Conflicts:
    	src/etc/httpd.conf.d-fhs/plugin-generic.inc
    	src/etc/httpd.conf.d-opt/plugin-generic.inc
    	src/etc/httpd.conf.d-usrlocal/plugin-generic.inc

diff --git a/src/etc/httpd.conf.d/plugin-generic.inc b/src/etc/httpd.conf.d/plugin-generic.inc
index f887b69..ad05445 100644
--- a/src/etc/httpd.conf.d/plugin-generic.inc
+++ b/src/etc/httpd.conf.d/plugin-generic.inc
@@ -6,5 +6,24 @@ Alias {core/url_prefix}anonscm/ {core/data_path}/chroot/scmrepos/
   Options -Indexes
 </DirectoryMatch>
 <DirectoryMatch {core/data_path}/chroot/scmrepos/[^/]*/.*>
-  Options +Indexes
+  # Enable directory index listing, but disable symlinks and CGI
+  Options Indexes
+
+  # Permit HTTP Auth for somewhat private projects (mechanism
+  # other than the SCM anon bit in the forge)
+  AllowOverride AuthConfig
+
+  # Prevent cookie theft in case a script does manage to execute
+  RequestHeader unset Cookie
+
+  # Disable all scripting engines (taken from Savannah)
+  # except for empty filenames == directory index
+  <Files "?*">
+    SetHandler default
+  </Files>
+
+  # Disable PHP5 explicitly for security (CVE-2014-0468)
+  <IfModule mod_php5.c>
+    php_admin_flag engine off
+  </IfModule>
 </DirectoryMatch>

-----------------------------------------------------------------------

Summary of changes:
 src/etc/httpd.conf.d/plugin-generic.inc |   21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)


hooks/post-receive
-- 
FusionForge



More information about the Fusionforge-commits mailing list