Should deny access to backup ~ files by default

Bug #138499 reported by Jason Gerard DeRose
256
Affects Status Importance Assigned to Milestone
Apache2 Web Server
Invalid
Medium
apache2 (Ubuntu)
Invalid
Wishlist
Unassigned

Bug Description

Binary package hint: apache2-common

There should really be default global directive that denies access to backup ~ files, something like this:

<Files *~>
Deny from All
</Files>

Otherwise, backup files are such a common way that DB passwords, etc., are unintentionally exposed.

It would also be great if access was denied by default to other special files associated with certain modules. For example, I'm currently working with mod_python, for which something like this is needed:

<FilesMatch "\.(pyc|pyo)$">
Deny from All
</FilesMatch>

Perhaps this could be included in a "mod_python.conf" file?

I was unsure whether I should mark this as a security vulnerability, but I figure better safe than sorry. ;)

Cheers,
Jason

Kees Cook (kees)
Changed in apache2:
importance: Undecided → Wishlist
Mathias Gug (mathiaz)
Changed in apache2:
status: New → Triaged
Revision history for this message
Samuel Lidén Borell (samuellb) wrote :
Changed in apache2:
status: Unknown → Invalid
Revision history for this message
Mathias Gug (mathiaz) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. I'm marking this bug as Invalid to follow upstream answer to the same query.

Changed in apache2:
status: Triaged → Invalid
Changed in apache2:
importance: Unknown → Medium
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.