From 86bced910a28ccf21e7958c9166856ad6f09aa0d Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Fri, 20 Jan 2023 14:18:55 +0000
Subject: [PATCH] Issue #3191389 by anmolgoyal74, greggles, larowlan, mcdruid,
 pwolanin, brayfe: File Inclusion issue security hardening

---
 .ht.router.php                           | 6 ++++++
 core/assets/scaffold/files/ht.router.php | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.ht.router.php b/.ht.router.php
index 054f7119b0ea..2c8a6f6ac358 100644
--- a/.ht.router.php
+++ b/.ht.router.php
@@ -24,6 +24,12 @@
  * @see http://php.net/manual/en/features.commandline.webserver.php
  */
 
+if (PHP_SAPI !== 'cli-server') {
+  // Bail out if this is not PHP's Development Server.
+  header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
+  exit;
+}
+
 $url = parse_url($_SERVER['REQUEST_URI']);
 if (file_exists(__DIR__ . $url['path'])) {
   // Serve the requested resource as-is.
diff --git a/core/assets/scaffold/files/ht.router.php b/core/assets/scaffold/files/ht.router.php
index 054f7119b0ea..2c8a6f6ac358 100644
--- a/core/assets/scaffold/files/ht.router.php
+++ b/core/assets/scaffold/files/ht.router.php
@@ -24,6 +24,12 @@
  * @see http://php.net/manual/en/features.commandline.webserver.php
  */
 
+if (PHP_SAPI !== 'cli-server') {
+  // Bail out if this is not PHP's Development Server.
+  header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
+  exit;
+}
+
 $url = parse_url($_SERVER['REQUEST_URI']);
 if (file_exists(__DIR__ . $url['path'])) {
   // Serve the requested resource as-is.
-- 
GitLab