Task #81849
closed
_htaccess: Replace access block FilesMatch with If-Directive
100%
Description
The file _htaccess contained in the typo3_src folder is a template for the .htaccess file used by Typo3 installations running on Apache webserver.
Around line 213 access to some special files and filetypes is blocked with the following FilesMatch-directive:
# Access block for files
<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
Due to the merging of configuration directives (http://httpd.apache.org/docs/2.2/sections.html#merging) this access block could be overridden by a Location- or LocationMatch-directive. For example a Basic-Auth in the vhost configuration implemented with a Location-directive...
<Location />
AuthType Basic
AuthName "Restriced area"
AuthBasicProvider file
AuthUserFile "some.passwd"
Require valid-user
</Location>
... disables the file access restrictions in the .htaccess.
For Apache 2.2 there is no alternative than rewriting the file access restrictions with a LocationMatch-directive in the vhost configuration.
For Apache 2.4 there is the new If-directive which has the "highest priority" when merging the configuration directives (http://httpd.apache.org/docs/2.4/sections.html#merging).
I would suggest rewriting the FilesMatch-directive as follows:
# Access block for files
# Apache < 2.3
<IfModule !mod_authz_core.c>
<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
</IfModule>
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
<If "%{REQUEST_URI} =~ m#(?i:/\.|^\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$#">
Require all denied
</If>
</IfModule>
I'am not happy with the additional complexity and the maintenance of two slightly different regular expressions. But maybe the enhanced security is worth it!?
Updated by 
Updated by 
Updated by