[WIP] Web Server Config URL Rewrite Rules White List (#1458)

* Escaped literal periods in web server config files rewrite rules. * Black listed "yml" file extension in web server configs rewrite rules.
2025-10-26 07:56:07 +01:00 · 2017-05-06 13:09:31 -04:00
parent 04243f7dd3
commit fc5c3023c6
7 changed files with 28 additions and 28 deletions
--- a/.htaccess
+++ b/.htaccess
@@ -54,17 +54,17 @@ RewriteRule .* index.php [L]

 ## Begin - Security
 # Block all direct access for these folders
-RewriteRule ^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
 # Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block all direct access to .md files:
 RewriteRule \.md$ error [F]
 # Block all direct access to files and folders beginning with a dot
 RewriteRule (^|/)\.(?!well-known) - [F]
 # Block access to specific files in the root folder
-RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
+RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
 ## End - Security

 </IfModule>
--- a/webserver-configs/Caddyfile
+++ b/webserver-configs/Caddyfile
@@ -5,22 +5,22 @@ fastcgi / 127.0.0.1:9000 php
 # Begin - Security
 # deny all direct access for these folders
 rewrite {
-    r       /(.git|cache|bin|logs|backups|tests)/.*$
+    r       /(\.git|cache|bin|logs|backups|tests)/.*$
    to  	/403
 }
 # deny running scripts inside core system folders
 rewrite {
-    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
    to  	/403
 }
 # deny running scripts inside user folder
 rewrite {
-    r       /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
    to  	/403
 }
 # deny access to specific files in the root folder
 rewrite {
-    r       /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
+    r       /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)
    to  	/403
 }

--- a/webserver-configs/Caddyfile-0.8.x
+++ b/webserver-configs/Caddyfile-0.8.x
@@ -7,22 +7,22 @@ fastcgi / 127.0.0.1:9000 php
 # Begin - Security
 # deny all direct access for these folders
 rewrite {
-    r       /(.git|cache|bin|logs|backups|tests)/.*$
+    r       /(\.git|cache|bin|logs|backups|tests)/.*$
    status  403
 }
 # deny running scripts inside core system folders
 rewrite {
-    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
    status  403
 }
 # deny running scripts inside user folder
 rewrite {
-    r       /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
    status  403
 }
 # deny access to specific files in the root folder
 rewrite {
-    r       /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
+    r       /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)
    status  403
 }
 ## End - Security
--- a/webserver-configs/htaccess.txt
+++ b/webserver-configs/htaccess.txt
@@ -54,17 +54,17 @@ RewriteRule .* index.php [L]

 ## Begin - Security
 # Block all direct access for these folders
-RewriteRule ^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
 # Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block all direct access to .md files:
 RewriteRule \.md$ error [F]
 # Block all direct access to files and folders beginning with a dot
 RewriteRule (^|/)\.(?!well-known) - [F]
 # Block access to specific files in the root folder
-RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
+RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
 ## End - Security

 </IfModule>
@@ -72,4 +72,4 @@ RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
 # Begin - Prevent Browsing and Set Default Resources
 Options -Indexes
 DirectoryIndex index.php index.html index.htm
-# End - Prevent Browsing and Set Default Resources
+# End - Prevent Browsing and Set Default Resources
--- a/webserver-configs/lighttpd.conf
+++ b/webserver-configs/lighttpd.conf
@@ -27,13 +27,13 @@ url.rewrite-if-not-file = (
 )

 #IMPROVING SECURITY
-$HTTP["url"] =~ "^/grav_path/(LICENSE.txt|composer.json|composer.lock|nginx.conf|web.config)$" {
+$HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.conf|web\.config)$" {
    url.access-deny = ("")
 }
-$HTTP["url"] =~ "^/grav_path/(.git|cache|bin|logs|backup|tests)/(.*)" {
+$HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
    url.access-deny = ("")
 }
-$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" {
+$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" {
    url.access-deny = ("")
 }
 $HTTP["url"] =~ "^/grav_path/(\.(.*))" {
--- a/webserver-configs/nginx.conf
+++ b/webserver-configs/nginx.conf
@@ -18,13 +18,13 @@ server {

    ## Begin - Security
    # deny all direct access for these folders
-    location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
    # deny running scripts inside core system folders
-    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny running scripts inside user folder
-    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
    # deny access to specific files in the root folder
-    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
    ## End - Security

    ## Begin - PHP
--- a/webserver-configs/web.config
+++ b/webserver-configs/web.config
@@ -18,19 +18,19 @@
                    <action type="Rewrite" url="index.php" />
                </rule>
                <rule name="user_error_redirect" stopProcessing="true">
-                    <match url="^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
                    <action type="Redirect" url="error" redirectType="Permanent" />
                </rule>
                <rule name="ignore_folders" stopProcessing="true">
-                    <match url="^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
+                    <match url="^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
                    <action type="Redirect" url="error" redirectType="Permanent" />
                </rule>
                <rule name="system" stopProcessing="true">
-                    <match url="^system/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^system/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
                    <action type="Redirect" url="error" redirectType="Permanent" />
                </rule>
                <rule name="vendor" stopProcessing="true">
-                    <match url="^vendor/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^vendor/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
                    <action type="Redirect" url="error" redirectType="Permanent" />
                </rule>
            </rules>