Page MenuHomePhabricator
Create Task
Maniphest T199029

1.31.0 tarball is missing .htaccess files (CVE-2018-13258)
Closed, ResolvedPublic
Actions

Description

The .htaccess files are used to protect some directories that shouldn't be web accessible.

I believe it was rMREL41c86dd3eb87: make-release: Simplify excludes, just drop all .dotfiles that caused this.

Details

SubjectRepoBranchLines +/-
SECURITY: Don't exclude .htaccess files from `git archive`mediawiki/coremaster+1 -0
SECURITY: Don't exclude .htaccess files from `git archive`mediawiki/coreREL1_31+1 -0
SECURITY: Don't exclude .htaccess files from `git archive`mediawiki/coreREL1_30+1 -0
SECURITY: Don't exclude .htaccess files from `git archive`mediawiki/coreREL1_29+1 -0
SECURITY: Don't exclude .htaccess files from `git archive`mediawiki/coreREL1_27+1 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Legoktm created this task.Jul 7 2018, 7:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 7 2018, 7:11 PM
Krinkle added projects: MW-1.31-release, MediaWiki-Releasing.Jul 7 2018, 7:50 PM
Krinkle removed a project: MediaWiki-Releasing.
Legoktm added a comment.Jul 20 2018, 8:32 PM

0001-Don-t-exclude-.htaccess-files-from-git-archive.patch661 BDownload

The patch is really simple obviously. I'm still working on the new release script (T199467) though to actually use gitattributes.

Legoktm merged a task: Restricted Task.Jul 29 2018, 5:10 PM
Legoktm added a subscriber: Jjjjjjjjjj.
chasemp subscribed.Aug 13 2018, 12:54 PM
Legoktm added a parent task: T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.Aug 29 2018, 1:23 AM
Legoktm mentioned this in T181665: Tracking bug for 1.27.5/1.29.3/1.30.1/1.31.1 security release.
Legoktm mentioned this in T199027: Obtain CVEs for 1.27.5/1.29.3/1.30.1/1.31.1 security releases.Aug 29 2018, 1:38 AM
Legoktm moved this task from Backlog to Needs backport on the MW-1.31-release board.Aug 29 2018, 2:22 AM
Reedy subscribed.Sep 15 2018, 2:44 AM

Has this been included in your bundled patches for the branches? Or is this still in addition to T181665#4552739 ?

Just to make sure it doesn't accidentally get forgotten about :)

Legoktm added a comment.Sep 15 2018, 3:15 AM
In T199029#4585359, @Reedy wrote:

Has this been included in your bundled patches for the branches? Or is this still in addition to T181665#4552739 ?

Just to make sure it doesn't accidentally get forgotten about :)

It should be included in each of the patch tars :) It does require using the new release script though, since that uses .gitattributes when deciding what to exclude. If we don't end up using it, we'll need to figure out a different solution for this bug (that said, I'd rather invest in fixing the new release script :))

Reedy closed this task as Resolved.Sep 20 2018, 8:20 PM
Reedy assigned this task to Legoktm.
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Sep 20 2018, 9:35 PM
ReleaseTaggerBot added projects: MW-1.29-release-notes, MW-1.30-release-notes, MW-1.31-release-notes, MW-1.32-notes (WMF-deploy-2018-09-25 (1.32.0-wmf.23)), MW-1.27-release-notes.Sep 20 2018, 10:00 PM
MoritzMuehlenhoff renamed this task from 1.31.0 tarball is missing .htaccess files to 1.31.0 tarball is missing .htaccess files (CVE-2018-13258).Sep 21 2018, 7:26 AM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits