Page MenuHomePhabricator

1.31.0 tarball is missing .htaccess files (CVE-2018-13258)
Closed, ResolvedPublic

Description

The .htaccess files are used to protect some directories that shouldn't be web accessible.

I believe it was rMREL41c86dd3eb87: make-release: Simplify excludes, just drop all .dotfiles that caused this.

Event Timeline

Legoktm created this task.Jul 7 2018, 7:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2018, 7:11 PM

The patch is really simple obviously. I'm still working on the new release script (T199467) though to actually use gitattributes.

Legoktm merged a task: Restricted Task.Jul 29 2018, 5:10 PM
Legoktm added a subscriber: Jjjjjjjjjj.
Reedy added a subscriber: Reedy.Sep 15 2018, 2:44 AM

Has this been included in your bundled patches for the branches? Or is this still in addition to T181665#4552739 ?

Just to make sure it doesn't accidentally get forgotten about :)

Has this been included in your bundled patches for the branches? Or is this still in addition to T181665#4552739 ?
Just to make sure it doesn't accidentally get forgotten about :)

It should be included in each of the patch tars :) It does require using the new release script though, since that uses .gitattributes when deciding what to exclude. If we don't end up using it, we'll need to figure out a different solution for this bug (that said, I'd rather invest in fixing the new release script :))

Reedy closed this task as Resolved.Sep 20 2018, 8:20 PM
Reedy assigned this task to Legoktm.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:35 PM
MoritzMuehlenhoff renamed this task from 1.31.0 tarball is missing .htaccess files to 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Sep 21 2018, 7:26 AM