Apache protect more non-public folders and files (#6881)

* Apache protect more non-public folders

* Also protect root

* Do the same for /p/

* Simplify Require all denied
In case of Apache 2.2, it will just make an error 500 instead of 403

* .htaccess.dist

* Simplify

* Better comment

.devcontainer/.htaccess

@@ -0,0 +1 @@
+Require all denied

.github/.htaccess

@@ -0,0 +1 @@
+Require all denied

.gitignore

@@ -1,10 +1,11 @@
+/.htaccess
 /bin/
+/constants.local.php
+/data.back/
 /extensions/node_modules/
 /extensions/vendor/
 /node_modules/
 /vendor/
-/data.back/
-/constants.local.php
 
 .vscode/
 

.htaccess.dist

@@ -0,0 +1,7 @@
+# Copy this file to `.htaccess` for additional root-level protection
+# if you cannot set Apache `DocumentRoot` to `./p/` as recommended.
+
+# Deny files starting with a dot, or without extension, or not in a whitelist of extensions
+<FilesMatch "^\.|^[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
+	Require all denied
+</FilesMatch>

Docker/.htaccess

@@ -0,0 +1 @@
+Require all denied

app/.htaccess

@@ -1,11 +1 @@
-# Apache 2.2
-<IfModule !mod_authz_core.c>
-	Order	Allow,Deny
-	Deny	from all
-	Satisfy	all
-</IfModule>
-
-# Apache 2.4
-<IfModule mod_authz_core.c>
-	Require all denied
-</IfModule>
+Require all denied

cli/.htaccess

@@ -1,11 +1 @@
-# Apache 2.2
-<IfModule !mod_authz_core.c>
-	Order	Allow,Deny
-	Deny	from all
-	Satisfy	all
-</IfModule>
-
-# Apache 2.4
-<IfModule mod_authz_core.c>
-	Require all denied
-</IfModule>
+Require all denied

cli/prepare.php

@@ -25,17 +25,7 @@ foreach ($dirs as $dir) {
 }
 
 file_put_contents(DATA_PATH . '/.htaccess', <<<'EOF'
-# Apache 2.2
-<IfModule !mod_authz_core.c>
-	Order	Allow,Deny
-	Deny	from all
-	Satisfy	all
-</IfModule>
-
-# Apache 2.4
-<IfModule mod_authz_core.c>
-	Require all denied
-</IfModule>
+Require all denied
 
 EOF
 );

data/.htaccess

@@ -1,11 +1 @@
-# Apache 2.2
-<IfModule !mod_authz_core.c>
-	Order	Allow,Deny
-	Deny	from all
-	Satisfy	all
-</IfModule>
-
-# Apache 2.4
-<IfModule mod_authz_core.c>
-	Require all denied
-</IfModule>
+Require all denied

docs/.htaccess

@@ -0,0 +1 @@
+Require all denied

extensions/.htaccess

@@ -0,0 +1 @@
+Require all denied

extensions/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
+<head>
+<meta charset="UTF-8" />
+<meta http-equiv="Refresh" content="0; url=/" />
+<title>Redirection</title>
+<meta name="robots" content="noindex" />
+</head>
+
+<body>
+<p><a href="/">Redirection</a></p>
+</body>
+</html>

lib/.htaccess

@@ -1,11 +1 @@
-# Apache 2.2
-<IfModule !mod_authz_core.c>
-	Order	Allow,Deny
-	Deny	from all
-	Satisfy	all
-</IfModule>
-
-# Apache 2.4
-<IfModule mod_authz_core.c>
-	Require all denied
-</IfModule>
+Require all denied

lib/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
+<head>
+<meta charset="UTF-8" />
+<meta http-equiv="Refresh" content="0; url=/" />
+<title>Redirection</title>
+<meta name="robots" content="noindex" />
+</head>
+
+<body>
+<p><a href="/">Redirection</a></p>
+</body>
+</html>

p/.htaccess

@@ -1,3 +1,10 @@
+<IfModule mod_authz_core.c>
+	# Deny files starting with a dot, or without extension, or not in a whitelist of extensions
+	<FilesMatch "^\.|^[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$">
+		Require all denied
+	</FilesMatch>
+</IfModule>
+
 <IfModule mod_dir.c>
 	DirectoryIndex	index.php index.html
 </IfModule>

tests/.htaccess

@@ -0,0 +1 @@
+Require all denied

tests/index.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-GB" lang="en-GB">
+<head>
+<meta charset="UTF-8" />
+<meta http-equiv="Refresh" content="0; url=/" />
+<title>Redirection</title>
+<meta name="robots" content="noindex" />
+</head>
+
+<body>
+<p><a href="/">Redirection</a></p>
+</body>
+</html>