From 04785b78a71994a6655815586128e4a666e5f8bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C4=83t=C4=83lin=20Mari=C8=99?= Date: Tue, 3 Jun 2014 00:20:15 +0300 Subject: [PATCH] Don't block access to content from `/.well-known/` The `/.well-known/` directory represents the standard path prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, `/.well-known/keybase.txt`), and therefore, access to its visible content should not be blocked. Ref: http://tools.ietf.org/html/rfc5785 https://www.mnot.net/blog/2010/04/07/well-known Close h5bp/server-configs-apache#31. --- CHANGELOG.md | 4 +- src/.htaccess | 18 ++++- test/fixtures/content/.htaccess | 17 ++++- .../.well-known/.hidden_directory/test.html | 10 +++ .../content/.well-known/manifest.json | 17 +++++ .../test/.hidden_directory/test.html | 10 +++ .../content/.well-known/test/test.html | 10 +++ test/test.js | 66 ++++++++++++++++++- 8 files changed, 145 insertions(+), 7 deletions(-) create mode 100644 test/fixtures/content/.well-known/.hidden_directory/test.html create mode 100644 test/fixtures/content/.well-known/manifest.json create mode 100644 test/fixtures/content/.well-known/test/.hidden_directory/test.html create mode 100644 test/fixtures/content/.well-known/test/test.html diff --git a/CHANGELOG.md b/CHANGELOG.md index 47290a7a..89305f11 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,8 @@ ### HEAD -* Forbid access to `.conf` files +* Don't block access to the content from within the `/.well-known/` directory + [[#31](https://github.com/h5bp/server-configs-apache/issues/31)]. +* Forbid access to `.conf` files. * Add the `no-transform` value to the `Cache-Control` HTTP response header without overwriting the existing value. * Add `cur`, `ico`, `svg`, `svgz` and `webp` to the filename-based cache diff --git a/src/.htaccess b/src/.htaccess index 5498fe9b..623037a1 100644 --- a/src/.htaccess +++ b/src/.htaccess @@ -324,6 +324,7 @@ AddDefaultCharset utf-8 # ------------------------------------------------------------------------------ # Block access to directories without a default document. + # You should leave the following uncommented, as you shouldn't allow anyone to # surf through every directory on your server (which may includes rather private # places such as the CMS's directories). @@ -334,10 +335,23 @@ AddDefaultCharset utf-8 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Block access to hidden files and directories. -# This includes directories used by version control systems such as Git and SVN. +# Block access to all hidden files and directories with the exception of the +# visible content from within the `/.well-known/` hidden directory. + +# These types of files usually contain user preferences or the preserved state +# of an utility, and can include rather private places like, for example, the +# `.git` or `.svn` directories. + +# The `/.well-known/` directory represents the standard (RFC 5785) path prefix +# for "well-known locations" (e.g.: `/.well-known/manifest.json`, +# `/.well-known/keybase.txt`), and therefore, access to its visible content +# should not be blocked. + +# https://www.mnot.net/blog/2010/04/07/well-known +# http://tools.ietf.org/html/rfc5785 + RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F] diff --git a/test/fixtures/content/.htaccess b/test/fixtures/content/.htaccess index e26e7a70..4d663095 100644 --- a/test/fixtures/content/.htaccess +++ b/test/fixtures/content/.htaccess @@ -334,10 +334,23 @@ AddDefaultCharset utf-8 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Block access to hidden files and directories. -# This includes directories used by version control systems such as Git and SVN. +# Block access to all hidden files and directories with the exception of the +# visible content from within the `/.well-known/` hidden directory. + +# These types of files usually contain user preferences or the preserved state +# of an utility, and can include rather private places like, for example, the +# `.git` or `.svn` directories. + +# The `/.well-known/` directory represents the standard (RFC 5785) path prefix +# for "well-known locations" (e.g.: `/.well-known/manifest.json`, +# `/.well-known/keybase.txt`), and therefore, access to its visible content +# should not be blocked. + +# https://www.mnot.net/blog/2010/04/07/well-known +# http://tools.ietf.org/html/rfc5785 + RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F] diff --git a/test/fixtures/content/.well-known/.hidden_directory/test.html b/test/fixtures/content/.well-known/.hidden_directory/test.html new file mode 100644 index 00000000..6d02a584 --- /dev/null +++ b/test/fixtures/content/.well-known/.hidden_directory/test.html @@ -0,0 +1,10 @@ + + + + + test + + + test + + diff --git a/test/fixtures/content/.well-known/manifest.json b/test/fixtures/content/.well-known/manifest.json new file mode 100644 index 00000000..38817f49 --- /dev/null +++ b/test/fixtures/content/.well-known/manifest.json @@ -0,0 +1,17 @@ +{ + "name": "test", + "icons": [{ + "src": "icon/lowres", + "sizes": "64x64", + "type": "image/webp" + }, { + "src": "icon/hd_small", + "sizes": "64x64" + }, { + "src": "icon/hd_hi", + "sizes": "128x128" + }], + "start_url": "/start.html", + "display": "fullscreen", + "orientation": "landscape" +} diff --git a/test/fixtures/content/.well-known/test/.hidden_directory/test.html b/test/fixtures/content/.well-known/test/.hidden_directory/test.html new file mode 100644 index 00000000..6d02a584 --- /dev/null +++ b/test/fixtures/content/.well-known/test/.hidden_directory/test.html @@ -0,0 +1,10 @@ + + + + + test + + + test + + diff --git a/test/fixtures/content/.well-known/test/test.html b/test/fixtures/content/.well-known/test/test.html new file mode 100644 index 00000000..6d02a584 --- /dev/null +++ b/test/fixtures/content/.well-known/test/test.html @@ -0,0 +1,10 @@ + + + + + test + + + test + + diff --git a/test/test.js b/test/test.js index d0cb8801..389bad13 100644 --- a/test/test.js +++ b/test/test.js @@ -526,14 +526,76 @@ var tests = [ }, { - description: 'Test if access is forbidden to hidden files and directories', + description: 'Test if access is forbidden to hidden files and directories with the exception of the visible content from within the `/.well-known/` hidden directory', files: { '.hidden_file': { statusCode: 403 }, - '.hidden_directory': { + '.hidden_directory/': { + statusCode: 403 + }, + + '.well-known/': { + statusCode: 403 + }, + + '.well-known/manifest.json': { + content: + '{\n' + + ' "name": "test",\n' + + ' "icons": [{\n' + + ' "src": "icon/lowres",\n' + + ' "sizes": "64x64",\n' + + ' "type": "image/webp"\n' + + ' }, {\n' + + ' "src": "icon/hd_small",\n' + + ' "sizes": "64x64"\n' + + ' }, {\n' + + ' "src": "icon/hd_hi",\n' + + ' "sizes": "128x128"\n' + + ' }],\n' + + ' "start_url": "/start.html",\n' + + ' "display": "fullscreen",\n' + + ' "orientation": "landscape"\n' + + '}\n', + requestHeaders: {} + + }, + + '.well-known/.hidden_directory/': { + statusCode: 403 + }, + + '.well-known/.hidden_directory/test.html': { + statusCode: 403 + }, + + '.well-known/test/': { + statusCode: 403 + }, + + '.well-known/test/test.html': { + content: + '\n' + + '\n' + + '\n' + + ' \n' + + ' test\n' + + '\n' + + '\n' + + ' test\n' + + '\n' + + '\n', + requestHeaders: {} + }, + + '.well-known/test/.hidden_directory/': { + statusCode: 403 + }, + + '.well-known/test/.hidden_directory/test.html': { statusCode: 403 }