From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 06 May 2016 02:32:01 -0400 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) --- .htaccess | 21 +++++++++++++++------ 1 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.htaccess b/.htaccess index 704779e..26fec1a 100644 --- a/.htaccess +++ b/.htaccess @@ -10,6 +10,7 @@ php_value post_max_size 6M php_value memory_limit 64M +php_flag register_globals Off php_flag zlib.output_compression Off php_flag magic_quotes_gpc Off php_flag magic_quotes_runtime Off @@ -17,18 +18,24 @@ php_flag suhosin.session.encrypt Off #php_value session.cookie_path / -php_value session.auto_start 0 +php_flag session.auto_start Off php_value session.gc_maxlifetime 21600 php_value session.gc_divisor 500 php_value session.gc_probability 1 - -# http://bugs.php.net/bug.php?id=30766 -php_value mbstring.func_overload 0 </IfModule> <IfModule mod_rewrite.c> RewriteEngine On -RewriteRule ^favicon.ico$ skins/default/images/favicon.ico +RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico + +# security rules: +# - deny access to files not containing a dot or starting with a dot +# in all locations except installer directory +RewriteRule ^(?!installer|\.well-known\/)(\.?[^\.]+)$ - [F] +# - deny access to some locations +RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] +# - deny access to some documentation files +RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F] </IfModule> <IfModule mod_deflate.c> @@ -47,4 +54,6 @@ FileETag MTime Size - +<IfModule mod_autoindex.c> +Options -Indexes +</ifModule> -- Gitblit v1.9.1