Bug #91893

server response on static files - basic rules should be in default htaccess

Added by Stefan P 3 months ago. Updated 21 days ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2020-07-30
Due date:
% Done:

100%

TYPO3 Version:
9
PHP Version:
Tags:
Complexity:
no-brainer
Is Regression:
Sprint Focus:

Description

These lines should be put in the shipped default .htaccess (ext:install/Resources/Private/FolderStructureTemplateFiles/root-htaccess)

See https://stackoverflow.com/questions/61759835/security-message-after-upgrade-to-9-5-17

Meaningful security measures should be included by default if they are reported anyways in the reports module in the backend.

<IfModule mod_mime.c>
    RemoveType .html .htm
    <FilesMatch ".+\.html?$">
        AddType text/html .html
        AddType text/html .htm
    </FilesMatch>

    RemoveType .svg .svgz
    <FilesMatch ".+\.svgz?$">
        AddType image/svg+xml .svg
        AddType image/svg+xml .svgz
    </FilesMatch>
</IfModule>

Related issues

Related to TYPO3 Core - Task #91354: Integrate server response security checks Closed 2020-05-10
Duplicates TYPO3 Core - Bug #91605: Amend .htaccess - fix wrong mime types Closed

Associated revisions

Revision 1ae3bb2a (diff)
Added by Markus Klein 2 months ago

[TASK] Add security relevant .htaccess configuration as default

Since #91354 the Core has security checks for valid and secure HTTP
responses. Add additional configuration in the default .htaccess
template to ensure those checks are green by default.

Resolves: #91893
Releases: master, 10.4, 9.5
Change-Id: Ibcb7d9b9b5fde3b1a9054d0cbf51fda710cd8f0d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65350
Tested-by: TYPO3com <>
Tested-by: Christian Kuhn <>
Tested-by: Daniel Goerz <>
Reviewed-by: Jörg Bösche <>
Reviewed-by: Christian Kuhn <>
Reviewed-by: Daniel Goerz <>

Revision 85ca2a03 (diff)
Added by Markus Klein 2 months ago

[TASK] Add security relevant .htaccess configuration as default

Since #91354 the Core has security checks for valid and secure HTTP
responses. Add additional configuration in the default .htaccess
template to ensure those checks are green by default.

Resolves: #91893
Releases: master, 10.4, 9.5
Change-Id: Ibcb7d9b9b5fde3b1a9054d0cbf51fda710cd8f0d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65412
Tested-by: TYPO3com <>
Tested-by: Daniel Goerz <>
Reviewed-by: Daniel Goerz <>

Revision ad5b7a52 (diff)
Added by Markus Klein 2 months ago

[TASK] Add security relevant .htaccess configuration as default

Since #91354 the Core has security checks for valid and secure HTTP
responses. Add additional configuration in the default .htaccess
template to ensure those checks are green by default.

Resolves: #91893
Releases: master, 10.4, 9.5
Change-Id: Ibcb7d9b9b5fde3b1a9054d0cbf51fda710cd8f0d
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/65413
Tested-by: TYPO3com <>
Tested-by: Daniel Goerz <>
Reviewed-by: Daniel Goerz <>

History

#1 Updated by Oliver Hader 3 months ago

  • Duplicates Bug #91605: Amend .htaccess - fix wrong mime types added

#2 Updated by Oliver Hader 3 months ago

  • Status changed from New to Closed

#3 Updated by Oliver Hader 3 months ago

  • Status changed from Closed to Accepted

#4 Updated by Markus Klein 2 months ago

  • Related to Task #91354: Integrate server response security checks added

#5 Updated by Gerrit Code Review 2 months ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65350

#6 Updated by Gerrit Code Review 2 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65350

#7 Updated by Gerrit Code Review 2 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65350

#8 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 10.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65412

#9 Updated by Gerrit Code Review 2 months ago

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/65413

#10 Updated by Markus Klein 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#11 Updated by Benni Mack 21 days ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF