Nemcio/Grav
1
0
Fork 0
mirror of https://github.com/getgrav/grav.git synced 2025-11-01 10:56:21 +01:00
Code Issues Packages Projects Releases Activity

Block .json files in web server configs

Browse Source
This commit is contained in:
Matias Griese
2021-12-08 15:07:42 +02:00
parent 6c7064db93
commit 1f3f1828c2
6 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.htaccess
View File

@@ -59,9 +59,9 @@ RewriteRule .* index.php [L]
# Block all direct access for these folders # Block all direct access for these folders
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F] RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders # Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders # Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files: # Block all direct access to .md files:
RewriteRule \.md$ error [F] RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot # Block all direct access to files and folders beginning with a dot

1
CHANGELOG.md
View File

@@ -12,6 +12,7 @@
3. [](#bugfix) 3. [](#bugfix)
* Fixed bad key lookup in `FlexRelatedDirectoryTrait::getCollectionByProperty()` * Fixed bad key lookup in `FlexRelatedDirectoryTrait::getCollectionByProperty()`
* Fixed RequestHandlers `NotFoundException` having empty request * Fixed RequestHandlers `NotFoundException` having empty request
* Block `.json` files in web server configs
# v1.7.25 # v1.7.25
## 11/16/2021 ## 11/16/2021

4
webserver-configs/htaccess.txt
View File

@@ -59,9 +59,9 @@ RewriteRule .* index.php [L]
# Block all direct access for these folders # Block all direct access for these folders
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F] RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders # Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders # Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files: # Block all direct access to .md files:
RewriteRule \.md$ error [F] RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot # Block all direct access to files and folders beginning with a dot

2
webserver-configs/lighttpd.conf
View File

@@ -33,7 +33,7 @@ $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.
$HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" { $HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
url.access-deny = ("") url.access-deny = ("")
} }
$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" { $HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" {
url.access-deny = ("") url.access-deny = ("")
} }
$HTTP["url"] =~ "^/grav_path/(\.(.*))" { $HTTP["url"] =~ "^/grav_path/(\.(.*))" {

4
webserver-configs/nginx.conf
View File

@@ -20,9 +20,9 @@ server {
# deny all direct access for these folders # deny all direct access for these folders
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
# deny running scripts inside core system folders # deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny running scripts inside user folder # deny running scripts inside user folder
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder # deny access to specific files in the root folder
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
## End - Security ## End - Security

6
webserver-configs/web.config
View File

@@ -18,7 +18,7 @@
<action type="Rewrite" url="index.php" /> <action type="Rewrite" url="index.php" />
</rule> </rule>
<rule name="user_error_redirect" stopProcessing="true"> <rule name="user_error_redirect" stopProcessing="true">
<match url="^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" /> <match url="^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" /> <action type="Redirect" url="error" redirectType="Permanent" />
</rule> </rule>
<rule name="ignore_folders" stopProcessing="true"> <rule name="ignore_folders" stopProcessing="true">
@@ -26,11 +26,11 @@
<action type="Redirect" url="error" redirectType="Permanent" /> <action type="Redirect" url="error" redirectType="Permanent" />
</rule> </rule>
<rule name="system" stopProcessing="true"> <rule name="system" stopProcessing="true">
<match url="^system/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" /> <match url="^system/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" /> <action type="Redirect" url="error" redirectType="Permanent" />
</rule> </rule>
<rule name="vendor" stopProcessing="true"> <rule name="vendor" stopProcessing="true">
<match url="^vendor/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" /> <match url="^vendor/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" /> <action type="Redirect" url="error" redirectType="Permanent" />
</rule> </rule>
</rules> </rules>