diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2017-07-16 10:59:48 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2017-07-16 10:59:48 +0200 |
| commit | c99820eb6b13e928fdc2138840e0ec77cd4fe6c9 (patch) | |
| tree | 6b97c4a1adb49e0d03751e1b9ec6b7ad2ed0d3ac /phpBB/phpbb | |
| parent | 0ec5e2197908d69bfa18a0e257131e967cd96ec4 (diff) | |
| parent | 1dea4625d0f958787c6357bef84a6d7a5453fe5f (diff) | |
| download | forums-c99820eb6b13e928fdc2138840e0ec77cd4fe6c9.tar forums-c99820eb6b13e928fdc2138840e0ec77cd4fe6c9.tar.gz forums-c99820eb6b13e928fdc2138840e0ec77cd4fe6c9.tar.bz2 forums-c99820eb6b13e928fdc2138840e0ec77cd4fe6c9.tar.xz forums-c99820eb6b13e928fdc2138840e0ec77cd4fe6c9.zip | |
Merge pull request #29 from phpbb/ticket/security-181
[ticket/security-181] Harden protection of migrations files and other directories
Diffstat (limited to 'phpBB/phpbb')
| -rw-r--r-- | phpBB/phpbb/db/migration/data/v30x/.htaccess | 33 | ||||
| -rw-r--r-- | phpBB/phpbb/db/migration/data/v310/.htaccess | 33 | ||||
| -rw-r--r-- | phpBB/phpbb/db/migration/data/v31x/.htaccess | 33 |
3 files changed, 99 insertions, 0 deletions
diff --git a/phpBB/phpbb/db/migration/data/v30x/.htaccess b/phpBB/phpbb/db/migration/data/v30x/.htaccess new file mode 100644 index 0000000000..44242b5418 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v30x/.htaccess @@ -0,0 +1,33 @@ +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. +<IfModule mod_version.c> + <IfVersion < 2.4> + <Files "*"> + Order Allow,Deny + Deny from All + </Files> + </IfVersion> + <IfVersion >= 2.4> + <Files "*"> + Require all denied + </Files> + </IfVersion> +</IfModule> +<IfModule !mod_version.c> + <IfModule !mod_authz_core.c> + <Files "*"> + Order Allow,Deny + Deny from All + </Files> + </IfModule> + <IfModule mod_authz_core.c> + <Files "*"> + Require all denied + </Files> + </IfModule> +</IfModule> diff --git a/phpBB/phpbb/db/migration/data/v310/.htaccess b/phpBB/phpbb/db/migration/data/v310/.htaccess new file mode 100644 index 0000000000..44242b5418 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v310/.htaccess @@ -0,0 +1,33 @@ +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. +<IfModule mod_version.c> + <IfVersion < 2.4> + <Files "*"> + Order Allow,Deny + Deny from All + </Files> + </IfVersion> + <IfVersion >= 2.4> + <Files "*"> + Require all denied + </Files> + </IfVersion> +</IfModule> +<IfModule !mod_version.c> + <IfModule !mod_authz_core.c> + <Files "*"> + Order Allow,Deny + Deny from All + </Files> + </IfModule> + <IfModule mod_authz_core.c> + <Files "*"> + Require all denied + </Files> + </IfModule> +</IfModule> diff --git a/phpBB/phpbb/db/migration/data/v31x/.htaccess b/phpBB/phpbb/db/migration/data/v31x/.htaccess new file mode 100644 index 0000000000..44242b5418 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/.htaccess @@ -0,0 +1,33 @@ +# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from +# module mod_authz_host to a new module called mod_access_compat (which may be +# disabled) and a new "Require" syntax has been introduced to mod_authz_host. +# We could just conditionally provide both versions, but unfortunately Apache +# does not explicitly tell us its version if the module mod_version is not +# available. In this case, we check for the availability of module +# mod_authz_core (which should be on 2.4 or higher only) as a best guess. +<IfModule mod_version.c> + <IfVersion < 2.4> + <Files "*"> + Order Allow,Deny + Deny from All + </Files> + </IfVersion> + <IfVersion >= 2.4> + <Files "*"> + Require all denied + </Files> + </IfVersion> +</IfModule> +<IfModule !mod_version.c> + <IfModule !mod_authz_core.c> + <Files "*"> + Order Allow,Deny + Deny from All + </Files> + </IfModule> + <IfModule mod_authz_core.c> + <Files "*"> + Require all denied + </Files> + </IfModule> +</IfModule> |