[SECURITY-19] Remove htaccess from allowed file types on new installations #13423

Merged
merged 1 commit into from Apr 18, 2017

Conversation

Projects
None yet
2 participants
@Mark-H
Collaborator

Mark-H commented Apr 17, 2017

Reported to security@modx.com by Anti Räis in ticket 19 and Tomáš Melicher in ticket 20, the ability to upload or create .htaccess files can cause code execution. In a way this is a feature, but it being enabled by default can pose a risk to users who are unaware that is possible.

Similar to how php files are not allowed out of the box, this patch will also prevent htaccess files by default. Users that want to manage htaccess from the manager can still do so by updating the upload_files setting after installation.

[SECURITY-19] Remove htaccess from allowed file types on new installa…
…tions

Reported to security@modx.com by Anti Räis in ticket 19 and Tomáš Melicher in ticket 20, the ability to upload or create .htaccess files can cause code execution. Similar to how php files are not allowed out of the box, this patch prevents htaccess files by default to protect against that. Users that want to manage htaccess from the manager can still do so by editing the upload_files setting after installation.

@Mark-H Mark-H modified the milestone: 2.5.7 Apr 17, 2017

@Jako Jako self-assigned this Apr 18, 2017

@Jako Jako merged commit cd09558 into modxcms:2.5.x Apr 18, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment