From 012555c1cef35601b543cde67bff8726de97eb39 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Thu, 07 May 2015 05:00:35 -0400
Subject: [PATCH] Add .htaccess files to deny access to config, temp, logs + describe how to protect access to these directories in the INSTALL instructions (#1490378)

---
 INSTALL          |   17 +++++++++++++++++
 config/.htaccess |    2 ++
 temp/.htaccess   |    2 ++
 logs/.htaccess   |    2 ++
 4 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/INSTALL b/INSTALL
index 67c0c05..0087a41 100644
--- a/INSTALL
+++ b/INSTALL
@@ -153,6 +153,23 @@
 	php_value       upload_max_filesize     2M
 
 
+SECURE YOUR INSTALLATION
+========================
+
+Access through the webserver to the following directories should be denied:
+
+  /config
+  /temp
+  /logs
+
+Roundcube uses .htaccess files to protect these directories, so be sure to
+allow override of the Limit directives to get them taken into account. The
+package also ships a .htaccess file in the root directory which defines some
+rewrite rules. In order to properly secure your installation, please enable
+mod_rewrite for Apache webserver and double check access to the above listed
+directories and their contents is denied.
+
+
 UPGRADING
 =========
 
diff --git a/config/.htaccess b/config/.htaccess
new file mode 100644
index 0000000..896e680
--- /dev/null
+++ b/config/.htaccess
@@ -0,0 +1,2 @@
+# deny webserver access to this directory
+Deny from all
diff --git a/logs/.htaccess b/logs/.htaccess
new file mode 100644
index 0000000..896e680
--- /dev/null
+++ b/logs/.htaccess
@@ -0,0 +1,2 @@
+# deny webserver access to this directory
+Deny from all
diff --git a/temp/.htaccess b/temp/.htaccess
new file mode 100644
index 0000000..896e680
--- /dev/null
+++ b/temp/.htaccess
@@ -0,0 +1,2 @@
+# deny webserver access to this directory
+Deny from all

--
Gitblit v1.9.1