From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Fri, 06 May 2016 02:32:01 -0400
Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241)

---
 .htaccess |   21 ++++++++++-----------
 1 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/.htaccess b/.htaccess
index 10af309..26fec1a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -10,6 +10,7 @@
 php_value	post_max_size		6M
 php_value	memory_limit		64M
 
+php_flag	register_globals	Off
 php_flag	zlib.output_compression		Off
 php_flag	magic_quotes_gpc		Off
 php_flag	magic_quotes_runtime		Off
@@ -26,18 +27,16 @@
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
-# security rules
-RewriteRule \.git - [F]
-RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ - [NC,F]
-RewriteRule ^/?(SQL|bin) - [NC,F]
-</IfModule>
 
-# deny access to all files not containing a "." (dot)
-# to block access to different README, ChangeLog, etc. files
-# of various skins and plugins.
-<FilesMatch "^[^\.]+$">
-Deny from all
-</FilesMatch>
+# security rules:
+# - deny access to files not containing a dot or starting with a dot
+#   in all locations except installer directory
+RewriteRule ^(?!installer|\.well-known\/)(\.?[^\.]+)$ - [F]
+# - deny access to some locations
+RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to some documentation files
+RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
+</IfModule>
 
 <IfModule mod_deflate.c>
 SetOutputFilter DEFLATE

--
Gitblit v1.9.1