mirror of
				https://github.com/getgrav/grav.git
				synced 2025-10-26 00:46:07 +02:00 
			
		
		
		
	Block .json files in web server configs
				
					
				
			This commit is contained in:
		| @@ -59,9 +59,9 @@ RewriteRule .* index.php [L] | ||||
| # Block all direct access for these folders | ||||
| RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F] | ||||
| # Block access to specific file types for these system folders | ||||
| RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| # Block access to specific file types for these user folders | ||||
| RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| # Block all direct access to .md files: | ||||
| RewriteRule \.md$ error [F] | ||||
| # Block all direct access to files and folders beginning with a dot | ||||
|   | ||||
| @@ -12,6 +12,7 @@ | ||||
| 3. [](#bugfix) | ||||
|    * Fixed bad key lookup in `FlexRelatedDirectoryTrait::getCollectionByProperty()` | ||||
|    * Fixed RequestHandlers `NotFoundException` having empty request | ||||
|    * Block `.json` files in web server configs | ||||
|  | ||||
| # v1.7.25 | ||||
| ## 11/16/2021 | ||||
|   | ||||
| @@ -59,9 +59,9 @@ RewriteRule .* index.php [L] | ||||
| # Block all direct access for these folders | ||||
| RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F] | ||||
| # Block access to specific file types for these system folders | ||||
| RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| # Block access to specific file types for these user folders | ||||
| RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] | ||||
| # Block all direct access to .md files: | ||||
| RewriteRule \.md$ error [F] | ||||
| # Block all direct access to files and folders beginning with a dot | ||||
|   | ||||
| @@ -33,7 +33,7 @@ $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\. | ||||
| $HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" { | ||||
|     url.access-deny = ("") | ||||
| } | ||||
| $HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" { | ||||
| $HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" { | ||||
|     url.access-deny = ("") | ||||
| } | ||||
| $HTTP["url"] =~ "^/grav_path/(\.(.*))" { | ||||
|   | ||||
| @@ -20,9 +20,9 @@ server { | ||||
|     # deny all direct access for these folders | ||||
|     location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } | ||||
|     # deny running scripts inside core system folders | ||||
|     location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } | ||||
|     location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } | ||||
|     # deny running scripts inside user folder | ||||
|     location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } | ||||
|     location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } | ||||
|     # deny access to specific files in the root folder | ||||
|     location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } | ||||
|     ## End - Security | ||||
|   | ||||
| @@ -18,7 +18,7 @@ | ||||
|                     <action type="Rewrite" url="index.php" /> | ||||
|                 </rule> | ||||
|                 <rule name="user_error_redirect" stopProcessing="true"> | ||||
|                     <match url="^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" /> | ||||
|                     <match url="^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" /> | ||||
|                     <action type="Redirect" url="error" redirectType="Permanent" /> | ||||
|                 </rule> | ||||
|                 <rule name="ignore_folders" stopProcessing="true"> | ||||
| @@ -26,11 +26,11 @@ | ||||
|                     <action type="Redirect" url="error" redirectType="Permanent" /> | ||||
|                 </rule> | ||||
|                 <rule name="system" stopProcessing="true"> | ||||
|                     <match url="^system/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" /> | ||||
|                     <match url="^system/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" /> | ||||
|                     <action type="Redirect" url="error" redirectType="Permanent" /> | ||||
|                 </rule> | ||||
|                 <rule name="vendor" stopProcessing="true"> | ||||
|                     <match url="^vendor/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" /> | ||||
|                     <match url="^vendor/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" /> | ||||
|                     <action type="Redirect" url="error" redirectType="Permanent" /> | ||||
|                 </rule> | ||||
|             </rules> | ||||
|   | ||||
		Reference in New Issue
	
	Block a user