Bug 18873 - Non-optimal directory, html files
Non-optimal directory, html files
Status: CLOSED WONTFIX
Product: Red Hat Powertools
Classification: Retired
Component: bugzilla (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
David Lawrence
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-11 04:17 EDT by Pekka Savola
Modified: 2007-04-18 12:29 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-15 13:36:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Pekka Savola 2000-10-11 04:17:22 EDT
It seems bugzilla installs all cgi scripts to /var/www/html/bugzilla.

I find this rather non-optimal.  Shouldn't these go somewhere _outside_ 
DocumentRoot, and then be ScriptAliased in httpd.conf?  

One example might be /var/www/bugzilla.

Also, it seems the html example files in contrib weren't included.  I'd
suggest
installing them somewhere, perhaps %doc or elsewhere.  They're good for
reference 
and testing, at least, and now you have to dive for the source right away.
Comment 1 Daniel Roesen 2000-10-13 11:26:57 EDT
isn't this a security thing? I'm not really into web stuff, but I read every 
now and then that CGIs should always be outside DocumentRoot and ScriptAliased, 
as you outlined. Perhaps changing it to severity "security" is appropriate?!
Comment 2 David Lawrence 2001-04-30 13:22:41 EDT
This will not be fixed due to the fact that this the way the Mozilla Bugzilla
team has been doing for quite some time. Yes you are correct that normally cgi
progs should go outside the document root but there would be substantial changes
to be made for Bugzilla to work this way since it was designed from the
beginning to reside in a single directory of its own. With proper permissions
and well done code, it shouldnt be an issue in this case.

Note You need to log in before you can comment on or make changes to this bug.