Task #42550

Add top-level .htaccess to block everything but Web

Added by Karsten Dambekalns over 8 years ago. Updated over 8 years ago.

Status:
Under Review
Priority:
Should have
Category:
-
Target version:
-
Start date:
2012-10-31
Due date:
% Done:

0%

Estimated time:
Sprint:
PHP Version:
Has patch:
No
Complexity:

Description

Although we ask to use Web as document root, that is often not done and/or possible (think about the practice of default host setups like pXXX.server.tld being hardwired to the top level folder for many hosters). So people feel safe because they added a vhost pointing to Web, but don't think about that default host.

Should we add a .htaccess file to the top level that allows access only to Web? Please vote and/or discuss!

#1

Updated by Karsten Dambekalns over 8 years ago

Two ways to do this so far.

Simple, but affecting two files

.htaccess

Order Deny,Allow
Deny from all

Web/.htaccess

…
Allow from all

Complex, only one file affected

.htaccess

SetEnvIf Request_URI /Web/ ispublic=1
Order Deny,Allow
Deny from all
Allow from env=ispublic
#2

Updated by Bastian Waidelich over 8 years ago

Karsten Dambekalns wrote:

Two ways to do this so far.

I'd prefer the simple solution with two files and w/o environment variables (which are not supported on several shared hosters)

#3

Updated by Adrian Föder over 8 years ago

yep, agree the simple variant too, and since Web/ has an htaccess already, two files are affected, but only one new is introduced...

#4

Updated by Karsten Dambekalns over 8 years ago

Agreed. Also, the complex variant doesn't even work - it blocks as soon as Web is used as doc root as intended, because then there's no Web in the request URI… :)

#5

Updated by Karsten Dambekalns over 8 years ago

  • Subject changed from Add top-level .htaccess to blick everything but Web to Add top-level .htaccess to block everything but Web
#6

Updated by Gerrit Code Review over 8 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/16078

#7

Updated by Karsten Dambekalns over 8 years ago

  • Target version set to 2.0
#8

Updated by Robert Lemke over 8 years ago

Although we ask to use Web as document root, that is often not done and/or possible (think about the practice of default host setups like pXXX.server.tld being hardwired to the top level folder for many hosters). So people feel safe because they added a vhost pointing to Web, but don't think about that default host.

Should we add a .htaccess file to the top level that allows access only to Web? Please vote and/or discuss!

+1 for the idea.

I don't have time this week to check the actual .htaccess implementation but if it works fine without bad side effects for people who set up Flow the right way, that's fine.

#9

Updated by Karsten Dambekalns over 8 years ago

  • Target version deleted (2.0)

Also available in: Atom PDF