Task #81849
closed
_htaccess: Replace access block FilesMatch with If-Directive
100%
Description
The file _htaccess contained in the typo3_src folder is a template for the .htaccess file used by Typo3 installations running on Apache webserver.
Around line 213 access to some special files and filetypes is blocked with the following FilesMatch-directive:
# Access block for files
<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
Due to the merging of configuration directives (http://httpd.apache.org/docs/2.2/sections.html#merging) this access block could be overridden by a Location- or LocationMatch-directive. For example a Basic-Auth in the vhost configuration implemented with a Location-directive...
<Location />
AuthType Basic
AuthName "Restriced area"
AuthBasicProvider file
AuthUserFile "some.passwd"
Require valid-user
</Location>
... disables the file access restrictions in the .htaccess.
For Apache 2.2 there is no alternative than rewriting the file access restrictions with a LocationMatch-directive in the vhost configuration.
For Apache 2.4 there is the new If-directive which has the "highest priority" when merging the configuration directives (http://httpd.apache.org/docs/2.4/sections.html#merging).
I would suggest rewriting the FilesMatch-directive as follows:
# Access block for files
# Apache < 2.3
<IfModule !mod_authz_core.c>
<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
</IfModule>
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
<If "%{REQUEST_URI} =~ m#(?i:/\.|^\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$#">
Require all denied
</If>
</IfModule>
I'am not happy with the additional complexity and the maintenance of two slightly different regular expressions. But maybe the enhanced security is worth it!?
Updated by Benni Mack over 6 years ago
- Project changed from 1900 to TYPO3 Core
- TYPO3 Version set to 8
Updated by Gerrit Code Review about 6 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55937
Updated by Gerrit Code Review about 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55937
Updated by Gerrit Code Review about 6 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/55942
Updated by Markus Klein about 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 05fd022f89741c1923802546c483ba7d2923d53a.