Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)

1 files changed, 8 insertions, 18 deletions

diff --git a/.htaccess b/.htaccess
index 43ab5b04f..0342e0878 100644
--- a/.htaccess
+++ b/.htaccess
@@ -27,26 +27,16 @@ php_value	session.gc_probability	1
 RewriteEngine On
 RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
 
-# security rules
-RewriteRule ^/?(\.git|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
-RewriteRule /?(README(.md)?|composer\.json-dist|composer\.json|package\.xml)$ - [F]
+# security rules:
+# - deny access to files not containing a dot or starting with a dot
+#   in all locations except installer directory
+RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
+# - deny access to some locations
+RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to some documentation files
+RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
 </IfModule>
 
-# deny access to all files not containing a "." (dot)
-# to block access to different README, Changelog, INSTALL, etc.
-# files of various skins and plugins.
-<FilesMatch "^[^\.]+$">
-    # Apache 2.4
-    <IfModule mod_authz_core.c>
-        Require all denied
-    </IfModule>
-    # Apache 2.2
-    <IfModule !mod_authz_core.c>
-        Order Allow,Deny
-        Deny from all
-    </IfModule>
-</FilesMatch>
-
 <IfModule mod_deflate.c>
 SetOutputFilter DEFLATE
 </IfModule>