Bug 18873 - Non-optimal directory, html files
Summary: Non-optimal directory, html files
Alias: None
Product: Red Hat Powertools
Classification: Retired
Component: bugzilla   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: David Lawrence
QA Contact: David Lawrence
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2000-10-11 08:17 UTC by Pekka Savola
Modified: 2007-04-18 16:29 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-15 17:36:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Pekka Savola 2000-10-11 08:17:22 UTC
It seems bugzilla installs all cgi scripts to /var/www/html/bugzilla.

I find this rather non-optimal.  Shouldn't these go somewhere _outside_ 
DocumentRoot, and then be ScriptAliased in httpd.conf?  

One example might be /var/www/bugzilla.

Also, it seems the html example files in contrib weren't included.  I'd
installing them somewhere, perhaps %doc or elsewhere.  They're good for
and testing, at least, and now you have to dive for the source right away.

Comment 1 Daniel Roesen 2000-10-13 15:26:57 UTC
isn't this a security thing? I'm not really into web stuff, but I read every 
now and then that CGIs should always be outside DocumentRoot and ScriptAliased, 
as you outlined. Perhaps changing it to severity "security" is appropriate?!

Comment 2 David Lawrence 2001-04-30 17:22:41 UTC
This will not be fixed due to the fact that this the way the Mozilla Bugzilla
team has been doing for quite some time. Yes you are correct that normally cgi
progs should go outside the document root but there would be substantial changes
to be made for Bugzilla to work this way since it was designed from the
beginning to reside in a single directory of its own. With proper permissions
and well done code, it shouldnt be an issue in this case.

Note You need to log in before you can comment on or make changes to this bug.