From: Anton Chevychalov <achevychalov@mirantis.com>
Date: Mon, 10 Apr 2017 10:25:40 +0000 (+0300)
Subject: Remove useless Indexes option
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=326837d626251e8d0947e6b2cbbdad4ff64adfe3;p=packages%2Fcentos7%2Fcobbler.git

Remove useless Indexes option

There are potential security issue with Indexes on directories
without real needs.

Change-Id: Iaed2d80a22a47e036471e7d3685cfc71b42893ba
Closes-Bug: #1646744
---

diff --git a/cobbler.spec b/cobbler.spec
index ed2d75e..1690edf 100644
--- a/cobbler.spec
+++ b/cobbler.spec
@@ -16,7 +16,7 @@ Name: cobbler
 License: GPLv2+
 AutoReq: no
 Version: 2.6.9
-Release: 1%{?dist}~mos1
+Release: 1%{?dist}~mos2
 Source0: https://github.com/cobbler/cobbler/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # Support newer virt-install - https://bugzilla.redhat.com/show_bug.cgi?id=1188424
 Patch0: cobbler-virtinstall.patch
@@ -26,6 +26,8 @@ Patch1: cobbler-centos.patch
 # Support django1.7+
 # https://github.com/cobbler/cobbler-web/issues/9
 Patch2: cobbler-django17.patch
+# Remove useless Indexes Option in Apache config
+Patch3: no_indexes.patch
 Group: Applications/System
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
 BuildArch: noarch
@@ -90,6 +92,7 @@ other applications.
 %if 0%{?fedora} >= 22
 %patch2 -p1 -b .django17
 %endif
+%patch3 -p1
 
 %build
 %{__python2} setup.py build
@@ -284,9 +287,12 @@ sed -i -e "s/SECRET_KEY = ''/SECRET_KEY = \'$RAND_SECRET\'/" /usr/share/cobbler/
 
 
 %changelog
+* Mon Apr 10 2017 Anton Chevychalov <achevychalov@mirantis.com> - 2.6.9-1~mos2
+- Remove useless and harmfull Indexes option from Apache configs
+
 * Tue Sep 29 2015 Artem Silenkov <asilenkov@mirantis.com> - 2.6.9-1~mos8.0.1
 - Make sources local
-- Rebuild from epel7 
+- Rebuild from epel7
 
 * Mon Jun 22 2015 Orion Poplawski <orion@cora.nwra.com> - 2.6.9-1
 - Update to 2.6.9
diff --git a/no_indexes.patch b/no_indexes.patch
new file mode 100644
index 0000000..39d9961
--- /dev/null
+++ b/no_indexes.patch
@@ -0,0 +1,42 @@
+diff -Naur cobbler-2.6.9/config/cobbler.conf cobbler-2.6.9.no_indexes/config/cobbler.conf
+--- cobbler-2.6.9/config/cobbler.conf	2015-06-12 09:07:39.000000000 +0300
++++ cobbler-2.6.9.no_indexes/config/cobbler.conf	2017-04-10 13:16:32.222436762 +0300
+@@ -11,7 +11,7 @@
+ 
+ <Directory "@@webroot@@/cobbler">
+     SetEnv VIRTUALENV @@virtualenv@@
+-    Options Indexes FollowSymLinks
++    Options FollowSymLinks
+     Order allow,deny
+     Allow from all
+ </Directory>
+@@ -28,7 +28,7 @@
+ # this is only a pointer to the new page.
+ 
+ <Directory "@@webroot@@/cobbler/web/">
+-    Options Indexes FollowSymLinks
++    Options FollowSymLinks
+     Order allow,deny
+     Allow from all
+ </Directory>
+diff -Naur cobbler-2.6.9/config/cobbler_web.conf cobbler-2.6.9.no_indexes/config/cobbler_web.conf
+--- cobbler-2.6.9/config/cobbler_web.conf	2015-06-12 09:07:39.000000000 +0300
++++ cobbler-2.6.9.no_indexes/config/cobbler_web.conf	2017-04-10 13:16:59.746070328 +0300
+@@ -9,7 +9,7 @@
+             NSSRequireSSL
+         </IfModule>
+         SetEnv VIRTUALENV @@virtualenv@@
+-        Options Indexes MultiViews
++        Options MultiViews
+         AllowOverride None
+         Order allow,deny
+         Allow from all
+@@ -22,7 +22,7 @@
+         <IfModule mod_nss.c>
+             NSSRequireSSL
+         </IfModule>
+-        Options +Indexes +FollowSymLinks
++        Options +FollowSymLinks
+         AllowOverride None
+         Order allow,deny
+         Allow from all