From 91624037c7d73eb545478aab2f8abc55fc224453 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Fri, 11 Oct 2024 09:25:43 +0200 Subject: [PATCH] Apache protect more non-public folders and files (#6881) * Apache protect more non-public folders * Also protect root * Do the same for /p/ * Simplify Require all denied In case of Apache 2.2, it will just make an error 500 instead of 403 * .htaccess.dist * Simplify * Better comment --- .devcontainer/.htaccess | 1 + .github/.htaccess | 1 + .gitignore | 5 +++-- .htaccess.dist | 7 +++++++ Docker/.htaccess | 1 + app/.htaccess | 12 +----------- cli/.htaccess | 12 +----------- cli/prepare.php | 12 +----------- data/.htaccess | 12 +----------- docs/.htaccess | 1 + extensions/.htaccess | 1 + extensions/index.html | 13 +++++++++++++ lib/.htaccess | 12 +----------- lib/index.html | 13 +++++++++++++ p/.htaccess | 7 +++++++ tests/.htaccess | 1 + tests/index.html | 13 +++++++++++++ 17 files changed, 67 insertions(+), 57 deletions(-) create mode 100644 .devcontainer/.htaccess create mode 100644 .github/.htaccess create mode 100644 .htaccess.dist create mode 100644 Docker/.htaccess create mode 100644 docs/.htaccess create mode 100644 extensions/.htaccess create mode 100644 extensions/index.html create mode 100644 lib/index.html create mode 100644 tests/.htaccess create mode 100644 tests/index.html diff --git a/.devcontainer/.htaccess b/.devcontainer/.htaccess new file mode 100644 index 000000000..b66e80882 --- /dev/null +++ b/.devcontainer/.htaccess @@ -0,0 +1 @@ +Require all denied diff --git a/.github/.htaccess b/.github/.htaccess new file mode 100644 index 000000000..b66e80882 --- /dev/null +++ b/.github/.htaccess @@ -0,0 +1 @@ +Require all denied diff --git a/.gitignore b/.gitignore index 2eff18708..ef4138383 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,11 @@ +/.htaccess /bin/ +/constants.local.php +/data.back/ /extensions/node_modules/ /extensions/vendor/ /node_modules/ /vendor/ -/data.back/ -/constants.local.php .vscode/ diff --git a/.htaccess.dist b/.htaccess.dist new file mode 100644 index 000000000..8821ae1ea --- /dev/null +++ b/.htaccess.dist @@ -0,0 +1,7 @@ +# Copy this file to `.htaccess` for additional root-level protection +# if you cannot set Apache `DocumentRoot` to `./p/` as recommended. + +# Deny files starting with a dot, or without extension, or not in a whitelist of extensions + + Require all denied + diff --git a/Docker/.htaccess b/Docker/.htaccess new file mode 100644 index 000000000..b66e80882 --- /dev/null +++ b/Docker/.htaccess @@ -0,0 +1 @@ +Require all denied diff --git a/app/.htaccess b/app/.htaccess index 32eca30f7..b66e80882 100644 --- a/app/.htaccess +++ b/app/.htaccess @@ -1,11 +1 @@ -# Apache 2.2 - - Order Allow,Deny - Deny from all - Satisfy all - - -# Apache 2.4 - - Require all denied - +Require all denied diff --git a/cli/.htaccess b/cli/.htaccess index 32eca30f7..b66e80882 100644 --- a/cli/.htaccess +++ b/cli/.htaccess @@ -1,11 +1 @@ -# Apache 2.2 - - Order Allow,Deny - Deny from all - Satisfy all - - -# Apache 2.4 - - Require all denied - +Require all denied diff --git a/cli/prepare.php b/cli/prepare.php index 414b48cd8..0b9faf044 100755 --- a/cli/prepare.php +++ b/cli/prepare.php @@ -25,17 +25,7 @@ foreach ($dirs as $dir) { } file_put_contents(DATA_PATH . '/.htaccess', <<<'EOF' -# Apache 2.2 - - Order Allow,Deny - Deny from all - Satisfy all - - -# Apache 2.4 - - Require all denied - +Require all denied EOF ); diff --git a/data/.htaccess b/data/.htaccess index 32eca30f7..b66e80882 100644 --- a/data/.htaccess +++ b/data/.htaccess @@ -1,11 +1 @@ -# Apache 2.2 - - Order Allow,Deny - Deny from all - Satisfy all - - -# Apache 2.4 - - Require all denied - +Require all denied diff --git a/docs/.htaccess b/docs/.htaccess new file mode 100644 index 000000000..b66e80882 --- /dev/null +++ b/docs/.htaccess @@ -0,0 +1 @@ +Require all denied diff --git a/extensions/.htaccess b/extensions/.htaccess new file mode 100644 index 000000000..b66e80882 --- /dev/null +++ b/extensions/.htaccess @@ -0,0 +1 @@ +Require all denied diff --git a/extensions/index.html b/extensions/index.html new file mode 100644 index 000000000..85faaa37e --- /dev/null +++ b/extensions/index.html @@ -0,0 +1,13 @@ + + + + + +Redirection + + + + +

Redirection

+ + diff --git a/lib/.htaccess b/lib/.htaccess index 32eca30f7..b66e80882 100644 --- a/lib/.htaccess +++ b/lib/.htaccess @@ -1,11 +1 @@ -# Apache 2.2 - - Order Allow,Deny - Deny from all - Satisfy all - - -# Apache 2.4 - - Require all denied - +Require all denied diff --git a/lib/index.html b/lib/index.html new file mode 100644 index 000000000..85faaa37e --- /dev/null +++ b/lib/index.html @@ -0,0 +1,13 @@ + + + + + +Redirection + + + + +

Redirection

+ + diff --git a/p/.htaccess b/p/.htaccess index 70bc34710..94c4e08e5 100644 --- a/p/.htaccess +++ b/p/.htaccess @@ -1,3 +1,10 @@ + + # Deny files starting with a dot, or without extension, or not in a whitelist of extensions + + Require all denied + + + DirectoryIndex index.php index.html diff --git a/tests/.htaccess b/tests/.htaccess new file mode 100644 index 000000000..b66e80882 --- /dev/null +++ b/tests/.htaccess @@ -0,0 +1 @@ +Require all denied diff --git a/tests/index.html b/tests/index.html new file mode 100644 index 000000000..85faaa37e --- /dev/null +++ b/tests/index.html @@ -0,0 +1,13 @@ + + + + + +Redirection + + + + +

Redirection

+ +