vanilla · linc · Jun 16, 2017 · May 25, 2017 · May 25, 2017 · May 25, 2017
diff --git a/.gitignore b/.gitignore
@@ -2,9 +2,15 @@
 !/applications/conversations/
 !/applications/dashboard/
 !/applications/vanilla/
+/build/*
+!/build/.htaccess
+!/build/build.xml
+!/build/package-include.txt
+!/build/package-exclude.txt
 /cache/*
-!/cache/.gitkeep
+!/cache/.htaccess
 /conf/*
+!/conf/.htaccess
 !/conf/config-defaults.php
 !/conf/constants.php
 !/conf/readme.txt
@@ -55,6 +61,7 @@ _notes
 */_archive/*
 ~*
 composer-local.json
+/.htaccess
 .project
 .settings
 .buildpath
@@ -64,10 +71,6 @@ composer-local.json
 node_modules/
 bower_components/
 npm-debug.log
-/build/*
-!/build/build.xml
-!/build/package-include.txt
-!/build/package-exclude.txt
 /tests/cache/
 /cgi-bin/
 phpunit.xml
diff --git a/.htaccess.dist b/.htaccess.dist
@@ -4,33 +4,50 @@
 <IfModule mod_rewrite.c>
     RewriteEngine On
 
+    ####
     # Certain hosts may require the following line.
     # If vanilla is in a subfolder then you need to specify it after the /.
     # (ex. You put Vanilla in /forum so change the next line to: RewriteBase /forum)
-    # RewriteBase /
+    ####
+    #RewriteBase /
 
-    RewriteCond %{QUERY_STRING} ^p=/?([^&]+)(&([^?]+))?$
-    RewriteRule ^index\.php %1?%3 [E=X_REWRITE:1,L]
+    ####
+    # Deny access to certain directories that SHOULD NOT be exposed.
+    ####
+    RewriteRule (^|/)\.git - [L,R=403]
+    RewriteRule ^cache/ - [L,R=403]
+    RewriteRule ^cgi-bin/ - [L,R=403]
+    RewriteRule ^uploads/import/ - [L,R=403]
+    RewriteRule ^vendor/ - [L,R=403]
 
-    # The basic rewrite rule.
+    ####
+    # Prevent access to any php script by redirecting the request to /index.php
+    # You can add an exceptions by adding another RewriteCond after this one.
+    # Example: RewriteCond %{REQUEST_URI} !^/yourscriptname.php$
+    # You can comment out this section if it causes you problems.
+    # This is just a nice to have for security purposes.
+    ####
+    RewriteCond %{REQUEST_URI} !^/index.php$
+    RewriteRule ^(.+\.php)$ index.php [E=X_REWRITE:1,E=X_PATH_INFO:/$1,L]
+
+    ####
+    # Redirect any non existing file/directory to /index.php
+    ####
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
-    RewriteRule ^(.*)$ index.php [QSA,E=X_REWRITE:1,E=X_PATH_INFO:/$1,L]
+    RewriteRule ^(.*)$ index.php [E=X_REWRITE:1,E=X_PATH_INFO:/$1,L]
 
+    ####
     # Add the proper X_REWRITE server variable for rewritten requests.
+    ####
     RewriteCond %{ENV:REDIRECT_X_REWRITE} .+
     RewriteCond %{ENV:REDIRECT_X_PATH_INFO} (.+)
-    RewriteRule ^index\.php - [QSA,E=X_REWRITE:1,E=!REDIRECT_X_REWRITE,E=X_PATH_INFO:%1,E=!REDIRECT_X_PATH_INFO,L]
-
-    # 301 redirect urls that start with index.php
-    #RewriteCond %{REQUEST_METHOD} GET [NC]
-    #RewriteCond %{REQUEST_URI} ^(.*?)/index\.php(.*)$
-    #RewriteRule ^index\.php /%1%2 [QSA,R,L]
+    RewriteRule ^index\.php - [E=X_REWRITE:1,E=!REDIRECT_X_REWRITE,E=X_PATH_INFO:%1,E=!REDIRECT_X_PATH_INFO,L]
 </IfModule>
 
 <IfModule mod_headers.c>
    <FilesMatch "(?<!embed)\.(css|js|woff|ttf|eot|svg|png|gif|jpeg|jpg|ico|swf)$">
       Header set Cache-Control "max-age=315360000"
       Header set Expires "31 December 2037 23:59:59 GMT"
    </FilesMatch>
-</IfModule>
+</IfModule>
diff --git a/build/.htaccess b/build/.htaccess
@@ -0,0 +1 @@
+Deny from all
diff --git a/cache/.gitkeep b/cache/.gitkeep
diff --git a/cache/.htaccess b/cache/.htaccess
@@ -0,0 +1 @@
+Deny from all
diff --git a/cache/Smarty/.gitkeep b/cache/Smarty/.gitkeep
diff --git a/conf/.htaccess b/conf/.htaccess
@@ -0,0 +1 @@
+Deny from all