[TASK] Block web access to *.tsconfig files 88/57788/2
authorStephan Großberndt <stephan.grossberndt@typo3.org>
Fri, 3 Aug 2018 08:22:02 +0000 (10:22 +0200)
committerMarkus Klein <markus.klein@typo3.org>
Fri, 3 Aug 2018 09:47:31 +0000 (11:47 +0200)
Resolves: #85738
Releases: master, 8.7
Change-Id: I824cdce7c08e5390eafb654e2066b8f61db3c0ac
Reviewed-on: https://review.typo3.org/57788
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Daniel Goerz <daniel.goerz@posteo.de>
Tested-by: Daniel Goerz <daniel.goerz@posteo.de>
Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Markus Klein <markus.klein@typo3.org>
_.htaccess
_web.config

index b5152a9..a95c094 100644 (file)
@@ -95,7 +95,7 @@
        </IfModule>
 
        <IfModule mod_mime.c>
-               AddEncoding gzip              svgz
+               AddEncoding gzip svgz
        </IfModule>
 </IfModule>
 
@@ -312,7 +312,7 @@ AddDefaultCharset utf-8
 # Access block for files
 # Apache < 2.3
 <IfModule !mod_authz_core.c>
-       <FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sqlite(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
+       <FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sqlite(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
                Order allow,deny
                Deny from all
                Satisfy All
@@ -320,7 +320,7 @@ AddDefaultCharset utf-8
 </IfModule>
 # Apache ≥ 2.3
 <IfModule mod_authz_core.c>
-       <If "%{REQUEST_URI} =~ m#(?i:/\.|/\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sqlite(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$#">
+       <If "%{REQUEST_URI} =~ m#(?i:/\.|/\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sqlite(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$#">
                Require all denied
        </If>
 </IfModule>
index b219598..97e7aee 100644 (file)
@@ -28,7 +28,7 @@
                     <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                 </rule>
                 <rule name="TYPO3 - Block access to miscellaneous protected files">
-                    <match url="/.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql|sqlite)$" ignoreCase="true" />
+                    <match url="/.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$" ignoreCase="true" />
                     <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                 </rule>
                 <rule name="TYPO3 - Block access to recycler and temporary directories">
@@ -39,7 +39,7 @@
                     <match url="fileadmin/(?:templates)/.*\.(?:txt|ts)$" ignoreCase="false" />
                     <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                 </rule>
-                <rule name="TYPO3 - Block access to libaries, source and temporary compiled data">
+                <rule name="TYPO3 - Block access to libraries, source and temporary compiled data">
                     <match url="^(?:vendor|typo3_src|typo3temp/var)" ignoreCase="false" />
                     <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
                 </rule>