diff options
| -rw-r--r-- | .htaccess | 26 | ||||
| -rw-r--r-- | CHANGELOG | 1 |
2 files changed, 9 insertions, 18 deletions
@@ -27,26 +27,16 @@ php_value session.gc_probability 1 RewriteEngine On RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico -# security rules -RewriteRule ^/?(\.git|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] -RewriteRule /?(README(.md)?|composer\.json-dist|composer\.json|package\.xml)$ - [F] +# security rules: +# - deny access to files not containing a dot or starting with a dot +# in all locations except installer directory +RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F] +# - deny access to some locations +RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] +# - deny access to some documentation files +RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F] </IfModule> -# deny access to all files not containing a "." (dot) -# to block access to different README, Changelog, INSTALL, etc. -# files of various skins and plugins. -<FilesMatch "^[^\.]+$"> - # Apache 2.4 - <IfModule mod_authz_core.c> - Require all denied - </IfModule> - # Apache 2.2 - <IfModule !mod_authz_core.c> - Order Allow,Deny - Deny from all - </IfModule> -</FilesMatch> - <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477) - Fix regression where only first new folder was placed in correct place on the list (#1489472) - Fix issue where children of selected and collapsed thread were skipped on various actions (#1489457) - Fix issue where groups were not deleted when "Replace entire addressbook" option on contacts import was used (#1489420) |