diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2024-11-19 21:28:50 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2024-11-19 21:28:50 +0100 |
| commit | 6970723aebae7ae90405368e6314e113885cd0de (patch) | |
| tree | e662f00fc1cbc9473cb3cb2261c7caf46adf4062 | |
| parent | 966f211202bc2ed6bf56b64e1ea3c4804e93c404 (diff) | |
Rework Apache deny access outside p (#7008)
* Rework Apache deny access outside p
The deny rules introduced by
https://github.com/FreshRSS/FreshRSS/pull/6881
gave problems for API access.
See also
https://github.com/FreshRSS/FreshRSS/discussions/6879
* Fix scope of deny logic
* Fix scope of deny logic
* Allow .txt
For e.g. `robots.txt`
| -rw-r--r-- | .htaccess.dist | 9 | ||||
| -rw-r--r-- | p/.htaccess | 7 | ||||
| -rw-r--r-- | p/themes/.htaccess | 7 |
3 files changed, 14 insertions, 9 deletions
diff --git a/.htaccess.dist b/.htaccess.dist index 18475b849..33f794673 100644 --- a/.htaccess.dist +++ b/.htaccess.dist @@ -1,7 +1,12 @@ # Copy this file to `.htaccess` for additional root-level protection # if you cannot set Apache `DocumentRoot` to `./p/` as recommended. -# Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions -<FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$"> +# Deny files starting with a dot or without extension or with specific extensions +<FilesMatch "^\.|^[^.]+$|\.(config\.js|gz|json|md|neon|sqlite|xml|ya?ml|zip)$"> Require all denied </FilesMatch> + +# Deny some sub-folders, which may not be excluded by their own .htaccess +<If "%{REQUEST_URI} =~ m#/(bin|data|node_modules|vendor|\..+)(/|$)#"> + Require all denied +</If> diff --git a/p/.htaccess b/p/.htaccess index 40dd7e51f..70bc34710 100644 --- a/p/.htaccess +++ b/p/.htaccess @@ -1,10 +1,3 @@ -<IfModule mod_authz_core.c> - # Deny files starting with a dot, or without extension (except some), or not in a whitelist of extensions - <FilesMatch "^\.|^(?!oidc)[^.]+$|\.(?!css|gif|html|ico|js|php|png|svg|txt|woff|woff2)[^.]*$"> - Require all denied - </FilesMatch> -</IfModule> - <IfModule mod_dir.c> DirectoryIndex index.php index.html </IfModule> diff --git a/p/themes/.htaccess b/p/themes/.htaccess index 0e78aab3a..42732cd38 100644 --- a/p/themes/.htaccess +++ b/p/themes/.htaccess @@ -1,3 +1,10 @@ +<IfModule mod_authz_core.c> + # Deny files without extension or with specific extensions + <FilesMatch "^[^.]+$|\.(json|md|scss|sh)$"> + Require all denied + </FilesMatch> +</IfModule> + <IfModule mod_mime.c> AddType font/woff .woff AddType font/woff2 .woff2 |