Commit dfa4cdeb authored by alexpott's avatar alexpott

Issue #2948579 by greggles, mcdruid, longwave, Chi, rabbitlair, alexpott,...

Issue #2948579 by greggles, mcdruid, longwave, Chi, rabbitlair, alexpott, DKAN, beckydev, interX, sammuell: Block web.config in .htaccess (and vice-versa)
parent 340d33e7
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
# #
# Protect files and directories from prying eyes. # Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$"> <FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
<IfModule mod_authz_core.c> <IfModule mod_authz_core.c>
Require all denied Require all denied
</IfModule> </IfModule>
......
...@@ -86,6 +86,10 @@ protected function getProtectedFiles() { ...@@ -86,6 +86,10 @@ protected function getProtectedFiles() {
$file_paths["$path/composer.json"] = 403; $file_paths["$path/composer.json"] = 403;
$file_paths["$path/composer.lock"] = 403; $file_paths["$path/composer.lock"] = 403;
// Ensure web server configuration files cannot be accessed.
$file_paths["$path/.htaccess"] = 403;
$file_paths["$path/web.config"] = 403;
return $file_paths; return $file_paths;
} }
......
...@@ -22,7 +22,7 @@ ...@@ -22,7 +22,7 @@
<rewrite> <rewrite>
<rules> <rules>
<rule name="Protect files and directories from prying eyes" stopProcessing="true"> <rule name="Protect files and directories from prying eyes" stopProcessing="true">
<match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock))$" /> <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess)$" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." /> <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule> </rule>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment