summaryrefslogtreecommitdiff
path: root/.htaccess
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2013-12-13 10:04:41 +0100
committerAleksander Machniak <alec@alec.pl>2013-12-13 10:04:41 +0100
commit2dade15d83b9d0b105fcb35c9edd62bfeceece16 (patch)
treebd66972e58a00e002875c20340f40c06ddf4939f /.htaccess
parent4187b3e26ff00b607d05cb9b588e83db18c3cab7 (diff)
Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)
Diffstat (limited to '.htaccess')
-rw-r--r--.htaccess26
1 files changed, 8 insertions, 18 deletions
diff --git a/.htaccess b/.htaccess
index 43ab5b04f..0342e0878 100644
--- a/.htaccess
+++ b/.htaccess
@@ -27,26 +27,16 @@ php_value session.gc_probability 1
RewriteEngine On
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
-# security rules
-RewriteRule ^/?(\.git|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
-RewriteRule /?(README(.md)?|composer\.json-dist|composer\.json|package\.xml)$ - [F]
+# security rules:
+# - deny access to files not containing a dot or starting with a dot
+# in all locations except installer directory
+RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
+# - deny access to some locations
+RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to some documentation files
+RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
</IfModule>
-# deny access to all files not containing a "." (dot)
-# to block access to different README, Changelog, INSTALL, etc.
-# files of various skins and plugins.
-<FilesMatch "^[^\.]+$">
- # Apache 2.4
- <IfModule mod_authz_core.c>
- Require all denied
- </IfModule>
- # Apache 2.2
- <IfModule !mod_authz_core.c>
- Order Allow,Deny
- Deny from all
- </IfModule>
-</FilesMatch>
-
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
</IfModule>