Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
[SECURITY-19] Remove htaccess from allowed file types on new installations #13423
Reported to firstname.lastname@example.org by Anti Räis in ticket 19 and Tomáš Melicher in ticket 20, the ability to upload or create .htaccess files can cause code execution. In a way this is a feature, but it being enabled by default can pose a risk to users who are unaware that is possible.
Similar to how php files are not allowed out of the box, this patch will also prevent htaccess files by default. Users that want to manage htaccess from the manager can still do so by updating the upload_files setting after installation.