New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.htaccess hardening #5621
.htaccess hardening #5621
Conversation
Make comments vs commented code clearer
Not really, no. That's the sort of thing that confuses the hell out of folks who aren't expecting it and will send them on a days-long odyssey. It should be opt-in for folks who want that level of security. |
.htaccess.dist
Outdated
RewriteCond %{QUERY_STRING} ^p=/?([^&]+)(&([^?]+))?$ | ||
RewriteRule ^index\.php %1?%3 [E=X_REWRITE:1,L] | ||
#### | ||
# Deny access to certain directories that SHOULD not be exposed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you wanna capitalize the 'NOT' also or instead.
.htaccess.dist
Outdated
# Deny access to certain directories that SHOULD not be exposed. | ||
#### | ||
RewriteRule (^|/)\.git - [L,R=403] | ||
#RewriteRule ^build/ - [L,R=403] # Already covered by .htaccess |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In what scenario is someone uploading a build
or tests
folder that we'd need to account for it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If they upload the cloned repository
@@ -0,0 +1 @@ | |||
Deny from all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's common for hosts to ignore .htaccess files that aren't in the root directory. What's the rationale for splitting this off?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/tests already have an .htaccess I just copied the behaviour.
I added the commented rules in the case someone preferred not to use the .htaccess (which is faster I think)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That being said should I uncomment them?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd delete the redundant lines in the main htaccess entirely.
These directories should never, ever make it to production. The sub-.htaccess files being here is already a backup. Double-backing it up by also having comments in the main htaccess seems like tacit approval of this massive screwup because someone would have to opt into it, at which point what the hell are they even doing?
Fixes #3431