From 037af6890fe6fdb84a08d3c86083e847c90ec0ad Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Tue, 22 Oct 2013 08:17:26 -0400 Subject: [PATCH] Fix vulnerability in handling _session argument of utils/save-prefs (#1489382) --- .htaccess | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++------- 1 files changed, 50 insertions(+), 7 deletions(-) diff --git a/.htaccess b/.htaccess index 2244a05..345d26d 100644 --- a/.htaccess +++ b/.htaccess @@ -1,13 +1,56 @@ # AddDefaultCharset UTF-8 +AddType text/x-component .htc + +<IfModule mod_php5.c> php_flag display_errors Off php_flag log_errors On -php_value error_log logs/errors +# php_value error_log logs/errors + php_value upload_max_filesize 5M +php_value post_max_size 6M +php_value memory_limit 64M -<FilesMatch "(\.inc|\~)$"> - Order allow,deny - Deny from all -</FilesMatch> +php_flag zlib.output_compression Off +php_flag magic_quotes_gpc Off +php_flag magic_quotes_runtime Off +php_flag zend.ze1_compatibility_mode Off +php_flag suhosin.session.encrypt Off -Order deny,allow -Allow from all +#php_value session.cookie_path / +php_flag session.auto_start Off +php_value session.gc_maxlifetime 21600 +php_value session.gc_divisor 500 +php_value session.gc_probability 1 + +# http://bugs.php.net/bug.php?id=30766 +php_value mbstring.func_overload 0 +</IfModule> + +<IfModule mod_rewrite.c> +RewriteEngine On +RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico +# security rules +RewriteRule \.git - [F] +RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ - [F] +RewriteRule ^/?(SQL|bin) - [F] +</IfModule> + +<IfModule mod_deflate.c> +SetOutputFilter DEFLATE +</IfModule> + +<IfModule mod_headers.c> +# replace 'append' with 'merge' for Apache version 2.2.9 and later +#Header append Cache-Control public env=!NO_CACHE +</IfModule> + +<IfModule mod_expires.c> +ExpiresActive On +ExpiresDefault "access plus 1 month" +</IfModule> + +FileETag MTime Size + +<IfModule mod_autoindex.c> +Options -Indexes +</ifModule> -- Gitblit v1.9.1