From 909d25f197cfc55bdf461546d5f5b0ac3981cbfc Mon Sep 17 00:00:00 2001 From: Gunnstein Lye Date: Tue, 14 Sep 2021 14:58:37 +0200 Subject: [PATCH] Merge pull request from GHSA-2rh5-jvgx-pgw3 Co-authored-by: Gunnstein Lye (cherry picked from commit 5ccf2b57e5c021462071e8bc58b6f9a59cde5c6c) --- .platform.app.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.platform.app.yaml b/.platform.app.yaml index fc3520fc74..f92d4265a4 100644 --- a/.platform.app.yaml +++ b/.platform.app.yaml @@ -62,10 +62,35 @@ web: passthru: "/app.php" # The number of seconds whitelisted (static) content should be cache expires: 600 + # Deny by default, allow in rules below as necessary + allow: false rules: + # This appears redundant, but looks can be deceiving. # Disable .php(3) and other executable extensions in the var directory '^/var/.*(?i)\.(php3?|phar|phtml|sh|exe|pl|bin)$': allow: false + # Serve storage/images|images-versioned directly + '^/var/([^/]+/)?storage/images(-versioned)?/.*': + allow: true + '^/favicon\.ico': + allow: true + '^/robots\.txt': + allow: true + '^/bundles/': + allow: true + '^/assets/': + allow: true + '^/design/': + allow: true + '^/extension/[^/]+/design([/?]|$)': + allow: true + '^/var/[^/]+/cache/public([/?]|$)': + allow: true + '^/share/icons/': + allow: true + # Comment this if in "dev" mode + '^/(css|js|fonts?)/.*\.(css|js|otf|eot|ttf|svg|woff)': + allow: true # The size of the persistent disk of the application (in MB). disk: 3072