FreeBSD's roundcube port is not installing .htaccess files, which by default deny access to config, temp, logs dirs and more. So, by default, you can remotely read roundcube logs, composer configs, and so on. How to repeat: Fresh system with no packages installed. root@testlab:~ # uname -a FreeBSD testlab 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11 21:02:49 UTC 2014 root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 root@testlab:~ # pkg install roundcube [...] [19/19] Extracting roundcube-1.0.3,1: 100% Message for roundcube-1.0.3,1: --------------------------------------------------------------------- FIRST INSTALLATION If this is a first installation of RoundCube you have to create a new database and a db user. Read INSTALL for detailed instructions. UPGRADING If you already had a previous version of RoundCube installed, you should check your config files and DB schema are up-to-date. Read UPGRADING for detailed instructions. --------------------------------------------------------------------- root@testlab:~ # find /usr/local/www/roundcube/ -type f -name .htaccess /usr/local/www/roundcube/plugins/enigma/home/.htaccess While it should look like this: root@testlab:~ # fetch -o /tmp/roundcubemail-1.0.3.tar.gz http://sourceforge.net/projects/roundcubemail/files/roundcubemail/1.0.3/roundcubemail-1.0.3.tar.gz /tmp/roundcubemail-1.0.3.tar.gz 100% of 3890 kB 1131 kBps 00m03s root@testlab:~ # tar zxf /tmp/roundcubemail-1.0.3.tar.gz -C /tmp/ root@testlab:~ # find /tmp/roundcubemail-1.0.3/ -type f -name .htaccess /tmp/roundcubemail-1.0.3/plugins/enigma/home/.htaccess /tmp/roundcubemail-1.0.3/.htaccess
Auto-assigned to maintainer ale@FreeBSD.org
The root .htaccess is just a sample, you are responsible for protecting your web server appropriately.
If you use roundcube on other platforms (or install it from sources) then you get this sample which protects you at some basic level. Roundcube's documentation refers to this missing file. User should be at least warned during installation, that default .htaccess file is missing in this port. In my humble opinion deleting this file is lowers security and should be fixed. Why was it removed?
(In reply to Lukasz Wasikowski from comment #3) From what I can see, the root .htaccess contains relevant info about how roundcube sees its own protection requirements. It would be useful to install that file, probably as an .htaccess.sample ? Btw, the .htaccess files for the subdirectories are installed, so the reasoning behind not installing the root .htaccess seems a bit inconsistent ?
Created attachment 174116 [details] svn diff for mail/roundcube Patch to update roundcube webmail to 1.2.1 mail/roundcube: Update to 1.2.1 - Update to 1.2.1 - Add missing .htaccess file in WWWDIR [1] - Switch WANT_PHP_WEB to USES= php:web - Add description for DB options group - Convert all ${PORT_OPTIONS:Mfoo} to OPTIONS framework - Convert target conditionals to target-OPT-on PR: 196016 [1] Submitted by: Lukasz Wasikowski <lukasz@wasikowski.net> [1]
Can this be upgraded to 1.2.2 ?
test-building a 1.2.2 patch @work, based on the patch 174116
Created attachment 175388 [details] patch-to-1.2.2 Testbuilds are fine. TODO: run-tests
Committed for 1.2.2, 1.2.1 was done with r423243.
A commit references this bug: Author: pi Date: Fri Oct 7 19:09:56 UTC 2016 New revision: 423479 URL: https://svnweb.freebsd.org/changeset/ports/423479 Log: mail/roundcube: 1.2.1 -> 1.2.2 PR: 196026 Changes: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-122 Submitted by: brnrd Approved by: ale (maintainer timeout) Changes: head/mail/roundcube/Makefile head/mail/roundcube/distinfo
A commit references this bug: Author: junovitch Date: Sun Dec 4 21:03:15 UTC 2016 New revision: 427804 URL: https://svnweb.freebsd.org/changeset/ports/427804 Log: MFH: r423243 r423250 r423479 r427802 mail/roundcube: Update to 1.2.1 - Update to 1.2.1 - Add missing .htaccess file in WWWDIR [1] - Switch WANT_PHP_WEB to USES= php:web - Add description for DB options group - Convert all ${PORT_OPTIONS:Mfoo} to OPTIONS framework - Convert target conditionals to target-OPT-on PR: 196016 [1] Submitted by: Lukasz Wasikowski <lukasz@wasikowski.net> [1] Approved by: Maintainer timeout mail/roundcube: fix dependency when using SQLite, bump PORTREVISION mail/roundcube: 1.2.1 -> 1.2.2 PR: 196026 Changes: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-122 Submitted by: brnrd Approved by: ale (maintainer timeout) mail/roundcube: update 1.2.2 -> 1.2.3; add NO_ARCH while here Changes: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-123 PR: 214925 Submitted by: brnrd Security: https://vuxml.FreeBSD.org/freebsd/125f5958-b611-11e6-a9a5-b499baebfeaf.html Approved by: ports-secteam (with hat) Changes: _U branches/2016Q4/ branches/2016Q4/mail/roundcube/Makefile branches/2016Q4/mail/roundcube/distinfo