[TASK] Improve strictness of resource access blocking in _.htaccess 42/55942/2
authorMarkus Klein <markus.klein@typo3.org>
Wed, 28 Feb 2018 12:50:53 +0000 (13:50 +0100)
committerChristian Kuhn <lolli@schwarzbu.ch>
Wed, 28 Feb 2018 15:52:18 +0000 (16:52 +0100)
For Apache HTTP versions 2.3+ there is a better way to avoid conflicts
in priority of sections. Since the `if` condition has been introduced
it is ranked the highest priority, hence it is most suitable for
rules to protect sensitive data.

Resolves: #81849
Releases: master, 8.7
Change-Id: I3f6edf1e3af55dc3ce901080045c8d353eb89ef9
Reviewed-on: https://review.typo3.org/55942
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
_.htaccess

index 0275b1a..03e8794 100644 (file)
@@ -310,19 +310,20 @@ AddDefaultCharset utf-8
 </IfModule>
 
 # Access block for files
-<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
-       # Apache < 2.3
-       <IfModule !mod_authz_core.c>
-               Order allow,deny
-               Deny from all
-               Satisfy All
-       </IfModule>
-
-       # Apache ≥ 2.3
-       <IfModule mod_authz_core.c>
-               Require all denied
-       </IfModule>
-</FilesMatch>
+# Apache < 2.3
+<IfModule !mod_authz_core.c>
+    <FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
+        Order allow,deny
+        Deny from all
+        Satisfy All
+    </FilesMatch>
+</IfModule>
+# Apache ≥ 2.3
+<IfModule mod_authz_core.c>
+    <If "%{REQUEST_URI} =~ m#(?i:/\.|/\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$#">
+        Require all denied
+    </If>
+</IfModule>
 
 # Block access to vcs directories
 <IfModule mod_alias.c>