From ad48860b75e8eb4c8ceec9835c3422859b210e22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Mon, 2 Dec 2019 10:55:03 +0100
Subject: [PATCH] Ensure no directory listing is active

By default, puppetlabs-apache module enables Indexes option, which can
lead in data/structure leak.

The following patch disable that option on a global base, since we
shouldn't need such a feature.

Closes-Bug: #1854442
Change-Id: Icba53f4e32237556608f4cb6dcd9da1a71705c19
---
 manifests/wsgi/apache.pp                                    | 1 +
 .../notes/no-directory-listing-8e6270ed0e1eb1d0.yaml        | 6 ++++++
 spec/defines/openstacklib_wsgi_apache_spec.rb               | 3 ++-
 3 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/no-directory-listing-8e6270ed0e1eb1d0.yaml

diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp
index 7f8f666c..6dc817b5 100644
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@@ -365,6 +365,7 @@ define openstacklib::wsgi::apache (
     error_log_file              => $error_log_file,
     error_log_pipe              => $error_log_pipe,
     error_log_syslog            => $error_log_syslog,
+    options                     => ['-Indexes', '+FollowSymLinks','+MultiViews'],
   }
 
   Package<| title == 'httpd' |>
diff --git a/releasenotes/notes/no-directory-listing-8e6270ed0e1eb1d0.yaml b/releasenotes/notes/no-directory-listing-8e6270ed0e1eb1d0.yaml
new file mode 100644
index 00000000..46a1a9c1
--- /dev/null
+++ b/releasenotes/notes/no-directory-listing-8e6270ed0e1eb1d0.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - Do not authorize directory listing
+fixes:
+  - rhbz#1778052
+  - LP#1854442
diff --git a/spec/defines/openstacklib_wsgi_apache_spec.rb b/spec/defines/openstacklib_wsgi_apache_spec.rb
index 81df3f5d..730853dc 100644
--- a/spec/defines/openstacklib_wsgi_apache_spec.rb
+++ b/spec/defines/openstacklib_wsgi_apache_spec.rb
@@ -94,7 +94,8 @@ describe 'openstacklib::wsgi::apache' do
         :access_log_format           => false,
         :error_log_file              => nil,
         :error_log_pipe              => nil,
-        :error_log_syslog            => nil
+        :error_log_syslog            => nil,
+        :options                     => ['-Indexes', '+FollowSymLinks','+MultiViews'],
       )}
 
       it { should contain_concat("#{platform_params[:httpd_ports_file]}") }