From d10e44a9d7672873147c9b29cb9880ee54c1b9b5 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Thu, 14 Jul 2016 13:51:21 +0200 Subject: [PATCH] Bug 16922: Add RewriteRule to apache-shared-intranet for dev package installs As a simple alternative to the solution in bug 9949 or just as an additional measure, this patch adds a rewrite rule for intranet in order to intercept potential misuse of perl scripts that could be reached on a dev package install via the cgi-bin/koha scriptalias. It simply rewrites them to the nonexistent "notfound", resulting in a regular 404 error. The rewrite rule does not harm regular installs and is just a little extra step in securing a dev install. You should have more security measures in place to secure your staff client. QA Note: Although a rewrite rule may not be our first choice, this one rule is more elegant and easier to maintain than e.g. a whole bunch of aliases. Note: This patch should have a regular and a dev install signoff. Test plan: [1] Make sure that this rewrite rule is inserted in your actual apache config via /etc/koha/apache-shared-intranet.conf. Restart Apache. [2] For regular package installs: Try one of the URLs in step 3. Verify that your staff client still operates as usual. Test a few URLs inside some modules. [3] For dev installs: Try some URLs like below. Expect 404 errors only, not 500s. If you do not see a 404, go back! /misc/stage_file.pl /t/db_dependent/default_search_class.pl /installer/data/mysql/updatedatabase.pl /Makefile.PL [4] Do you see an additional directory to add to the regex? Please report. Signed-off-by: Martin Renvoize Signed-off-by: Kyle M Hall Signed-off-by: Joy Nelson (cherry picked from commit 3401e94d942a8d8a4e216ea44bd295f96b8f3e24) Signed-off-by: Lucas Gass --- debian/templates/apache-shared-intranet.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/templates/apache-shared-intranet.conf b/debian/templates/apache-shared-intranet.conf index 58de0b381b..001342f515 100644 --- a/debian/templates/apache-shared-intranet.conf +++ b/debian/templates/apache-shared-intranet.conf @@ -11,6 +11,9 @@ ScriptAlias /cgi-bin/koha/ "/usr/share/koha/intranet/cgi-bin/" ScriptAlias /index.html "/usr/share/koha/intranet/cgi-bin/mainpage.pl" ScriptAlias /search "/usr/share/koha/intranet/cgi-bin/catalogue/search.pl" +# Protect dev package install +RewriteEngine on +RewriteRule ^/cgi-bin/koha/(C4|debian|etc|installer/data|install_misc|Koha|misc|selenium|t|test|tmp|xt)/|\.PL$ /notfound [PT] RewriteCond %{QUERY_STRING} (.*?)(?:[A-Za-z0-9_-]+)=&(.*) RewriteRule (.+) $1?%1%2 [N,R,NE] -- 2.39.5