Bug 188410
Summary: | Review Request: phpBB | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Peter Gordon <peter> |
Component: | Package Review | Assignee: | Thorsten Leemhuis (ignored mailbox) <bugzilla-sink> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Package Reviews List <fedora-package-review> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | ivazqueznet, wtogami, yaneti |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-04-10 02:35:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Peter Gordon
2006-04-09 09:41:53 UTC
(In reply to comment #0) > Firstly, it gives an error that the scripts do not have shebangs. Since these > are PHP scripts meant to be run through mod_php Do they need to be executable then? See rpmlint -I script-without-shellbang Hi, Ville. I forgot that the scripts themselves only need be readable in this case. I've uploaded a second release with this fixed, and I also included the cache's .htaccess limits in the global httpd phpBB config file. Source RPM: http://www.thecodergeek.com/downloads/fedora/phpBB-2.0.20-2.src.rpm Spec: http://www.thecodergeek.com/downloads/fedora/phpBB.spec Thanks for your time. Has this code been audited for security? Personally I don't want Extras supplying a known-bad piece of software in an easy-to-install (and therefore break) form. phpBB is pretty well maintained and has undergone quite a bit of scrutiny. Obviously we shouldn't add known-broken packages to Extras, but I don't think it's the submitter's job to do a full security audit on every package. At some point we have to trust upstream to do their job. However, because of its securityh-sensitive status, this is certainly one of those packages that should have a backup maintainer (or two) so that any necessary updates are released as quickly as possible. To me phpBB is like the sendmail of the php forum thingies (with less features than some of the ofthers). and fedora still ships sendmail... Well, even though phpBB does seem to contain many vulnerabilities, upstream is very good about releasing fixes or patches for these; and it is my intent to keep up to date with upstream releases including these security fixes and/or patch it myself if needed. I'd be happy to take on this package with a couple of other maintainers, as needed. (To be honest, I think that's probably a good idea.) Thanks. > Secondly, it complains that there is an htaccess file in the distribution:
> E: phpBB htaccess-file /var/www/phpBB2/cache/.htaccess
> This is where phpBB stores it cache data, and this .htaccess file explicitly
> disallows any direct requests for those files. Thus, this seems reasonable
> ignore, also.
By default httpd.conf doesn't allow htaccess overrides, so the effectiveness of
this .htaccess is not great. I am pretty sure this directory doesn't need to be
in a web accessible directory at all. You could patch the default directory so
that it uses someplace like /var/cache/phpbb instead (not sure, I haven't tested
this)?
About PHPBB security, it is actively maintained, but has a long history of
repeated security holes. I've seen many Linux servers become compromised by
script kiddies due to past PHPBB holes. If PHPBB gets into Fedora, the
maintainer(s) *MUST* be vigilant in updating the package quickly when upstream
makes a new release.
Another option would be to put those explicit disallows into a /etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or worse idea than my last comment. (In reply to comment #8) > Another option would be to put those explicit disallows into a > /etc/httpd/conf.d/phpbb.conf, although I am not sure if this is a better or > worse idea than my last comment. That's one thing I changed in release 2. :) Actually, I've been discussing this with a couple of my friends and based on phpBB's track record of vulnerabilities, it may be for the best *not* to package it in Extras until it can be properly audited and whatnot. I'll close this as WONTFIX. Have a nice evening, all. |