Remove links to manpages.debian.org in default index.html

While there, add some rel="nofollow" to other links. Also update
problematic index.html files in postinst.

4 files changed, 35 insertions, 9 deletions

diff --git a/debian/apache2.postinst b/debian/apache2.postinst
index 0b6ed2ed..9385a826 100644
--- a/debian/apache2.postinst
+++ b/debian/apache2.postinst
@@ -76,6 +76,21 @@ install_default_site()
 	fi
 }
 
+is_problematic_index_html () {
+	local FILE="$1"
+	[ -f "$FILE" ] || return 1
+	local MD5=$(md5sum "$FILE" 2> /dev/null |cut -d' ' -f 1) ||
+		return 1
+	grep -q "$MD5" <<- EOF
+	1736dfc80cf1f5a8966c096a0b094377
+	776221a94e5a174dc2396c0f3f6b6a74
+	51a41c3207374dad24ec64a0f2646bdc
+	c481228d439cbb54bdcedbaec5bbb11a
+	3183a3d71d86bcc88aaf3ca5cbbefb45
+	74cec59a19e5d16f7cc6a2445e35fa3b
+	EOF
+}
+
 # XXX: This site is installed in the apache2-data package. Should the postinst
 # scriptlet move there too?
 install_default_files()
@@ -98,6 +113,14 @@ install_default_files()
 		if $do_copy ; then
 			cp /usr/share/apache2/default-site/index.html /var/www/html/index.html
 		fi
+	else
+		# see #821313
+		for dir in /var/www /var/www/html ; do
+			local file=$dir/index.html
+			if is_problematic_index_html $file ; then
+				cp /usr/share/apache2/default-site/index.html $file
+			fi
+		done
 	fi
 }
 
diff --git a/debian/apache2.postrm b/debian/apache2.postrm
index e525a2e2..7023734e 100644
--- a/debian/apache2.postrm
+++ b/debian/apache2.postrm
@@ -32,6 +32,7 @@ is_default_index_html () {
 		74cec59a19e5d16f7cc6a2445e35fa3b
 		776221a94e5a174dc2396c0f3f6b6a74
 		c481228d439cbb54bdcedbaec5bbb11a
+		675d549372241f55964b5f886921b06d
 	EOF
 }
 
diff --git a/debian/changelog b/debian/changelog
index 4525f7c1..19c9a114 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ apache2 (2.4.20-2) UNRELEASED; urgency=medium
     Closes: #820824
   * Fix race condition and logical error in init script. Thanks to Thomas
     Stangner for the patch. Closes: #822144
+  * Remove links to manpages.debian.org in default index.html to avoid
+    broken robots doing a DoS on the site. Closes: #821313
 
  -- Stefan Fritsch <sf@debian.org>  Sat, 28 May 2016 10:58:26 +0200
 
diff --git a/debian/index.html b/debian/index.html
index 6782988c..766401df 100644
--- a/debian/index.html
+++ b/debian/index.html
@@ -293,17 +293,17 @@
                            *-available/ counterparts. These should be managed
                            by using our helpers
                            <tt>
-                                <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod">a2enmod</a>,
-                                <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod">a2dismod</a>,
+                                a2enmod,
+                                a2dismod,
                            </tt>
                            <tt>
-                                <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2ensite">a2ensite</a>,
-                                <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite">a2dissite</a>,
+                                a2ensite,
+                                a2dissite,
                             </tt>
                                 and
                            <tt>
-                                <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf">a2enconf</a>,
-                                <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf">a2disconf</a>
+                                a2enconf,
+                                a2disconf
                            </tt>. See their respective man pages for detailed information.
                         </li>
 
@@ -326,7 +326,7 @@
             <p>
                 By default, Debian does not allow access through the web browser to
                 <em>any</em> file apart of those located in <tt>/var/www</tt>,
-                <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html">public_html</a>
+                <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a>
                 directories (when enabled) and <tt>/usr/share</tt> (for web
                 applications). If your site is using a web document root
                 located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
@@ -347,8 +347,8 @@
           <p>
                 Please use the <tt>reportbug</tt> tool to report bugs in the
                 Apache2 package with Debian. However, check <a
-                href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0">existing
-                bug reports</a> before reporting a new bug.
+                href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0"
+                rel="nofollow">existing bug reports</a> before reporting a new bug.
           </p>
           <p>
                 Please report bugs specific to modules (such as PHP and others)