From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 06 May 2016 02:32:01 -0400 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) --- .htaccess | 21 ++++++++++----------- 1 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.htaccess b/.htaccess index 10af309..26fec1a 100644 --- a/.htaccess +++ b/.htaccess @@ -10,6 +10,7 @@ php_value post_max_size 6M php_value memory_limit 64M +php_flag register_globals Off php_flag zlib.output_compression Off php_flag magic_quotes_gpc Off php_flag magic_quotes_runtime Off @@ -26,18 +27,16 @@ <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico -# security rules -RewriteRule \.git - [F] -RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ - [NC,F] -RewriteRule ^/?(SQL|bin) - [NC,F] -</IfModule> -# deny access to all files not containing a "." (dot) -# to block access to different README, ChangeLog, etc. files -# of various skins and plugins. -<FilesMatch "^[^\.]+$"> -Deny from all -</FilesMatch> +# security rules: +# - deny access to files not containing a dot or starting with a dot +# in all locations except installer directory +RewriteRule ^(?!installer|\.well-known\/)(\.?[^\.]+)$ - [F] +# - deny access to some locations +RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] +# - deny access to some documentation files +RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F] +</IfModule> <IfModule mod_deflate.c> SetOutputFilter DEFLATE -- Gitblit v1.9.1