From cdd9ecdd68c8b0240a121a9bc07fd366a99bd1b3 Mon Sep 17 00:00:00 2001
From: Chris Smith <toonarmy@phpbb.com>
Date: Thu, 8 Apr 2010 10:08:18 +0200
Subject: [PATCH 1/5] [ticket/9520] Add some default web.config files for IIS.

These deny access to the various directories written to by phpBB.

PHPBB3-9520
---
 phpBB/cache/web.config                 | 13 +++++++++++++
 phpBB/files/web.config                 | 13 +++++++++++++
 phpBB/images/avatars/upload/web.config | 13 +++++++++++++
 phpBB/store/web.config                 | 13 +++++++++++++
 4 files changed, 52 insertions(+)
 create mode 100644 phpBB/cache/web.config
 create mode 100644 phpBB/files/web.config
 create mode 100644 phpBB/images/avatars/upload/web.config
 create mode 100644 phpBB/store/web.config

diff --git a/phpBB/cache/web.config b/phpBB/cache/web.config
new file mode 100644
index 0000000000..278494bafc
--- /dev/null
+++ b/phpBB/cache/web.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+	<system.webServer>
+		<rewrite>
+			<rules>
+				<rule name="phpBB Default Rule" stopProcessing="true">
+					<match url=".*" />
+					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
+				</rule>
+			</rules>
+		</rewrite>
+	</system.webServer>
+</configuration>
\ No newline at end of file
diff --git a/phpBB/files/web.config b/phpBB/files/web.config
new file mode 100644
index 0000000000..278494bafc
--- /dev/null
+++ b/phpBB/files/web.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+	<system.webServer>
+		<rewrite>
+			<rules>
+				<rule name="phpBB Default Rule" stopProcessing="true">
+					<match url=".*" />
+					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
+				</rule>
+			</rules>
+		</rewrite>
+	</system.webServer>
+</configuration>
\ No newline at end of file
diff --git a/phpBB/images/avatars/upload/web.config b/phpBB/images/avatars/upload/web.config
new file mode 100644
index 0000000000..278494bafc
--- /dev/null
+++ b/phpBB/images/avatars/upload/web.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+	<system.webServer>
+		<rewrite>
+			<rules>
+				<rule name="phpBB Default Rule" stopProcessing="true">
+					<match url=".*" />
+					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
+				</rule>
+			</rules>
+		</rewrite>
+	</system.webServer>
+</configuration>
\ No newline at end of file
diff --git a/phpBB/store/web.config b/phpBB/store/web.config
new file mode 100644
index 0000000000..278494bafc
--- /dev/null
+++ b/phpBB/store/web.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+	<system.webServer>
+		<rewrite>
+			<rules>
+				<rule name="phpBB Default Rule" stopProcessing="true">
+					<match url=".*" />
+					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
+				</rule>
+			</rules>
+		</rewrite>
+	</system.webServer>
+</configuration>
\ No newline at end of file

From 9ac7c492ed5c0537cb34dc3a21d9b9b612d0e091 Mon Sep 17 00:00:00 2001
From: Chris Smith <toonarmy@phpbb.com>
Date: Thu, 15 Apr 2010 23:12:14 +0100
Subject: [PATCH 2/5] [ticket/9520] Add suggested web.config for root files as
 suggested by Microsoft.

PHPBB3-9520
---
 phpBB/web.config | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 phpBB/web.config

diff --git a/phpBB/web.config b/phpBB/web.config
new file mode 100644
index 0000000000..7f2b40ec1b
--- /dev/null
+++ b/phpBB/web.config
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+	<system.webServer>
+		<rewrite>
+			<rules>
+				<rule name="phpBB config.php Rule" patternSyntax="Wildcard" stopProcessing="true">
+					<match url="*config.php" />
+					<action type="AbortRequest" />
+				</rule>
+				<rule name="phpBB common.php Rule" patternSyntax="Wildcard" stopProcessing="true">
+					<match url="*common.php" />
+					<action type="AbortRequest" />
+				</rule>
+			</rules>
+		</rewrite>
+	</system.webServer>
+</configuration>

From e11e53e11bd7ea67fe0b7b0145fe2941ca86fb84 Mon Sep 17 00:00:00 2001
From: Chris Smith <toonarmy@phpbb.com>
Date: Wed, 28 Apr 2010 19:13:01 +0100
Subject: [PATCH 3/5] [ticket/9520] Removed per directory web.config files.

These use the IIS rewriter to reject requests, Microsoft have suggested
we just use a single web.config with the builtin request filter.

PHPBB3-9520
---
 phpBB/cache/web.config                 | 13 -------------
 phpBB/files/web.config                 | 13 -------------
 phpBB/images/avatars/upload/web.config | 13 -------------
 phpBB/store/web.config                 | 13 -------------
 4 files changed, 52 deletions(-)
 delete mode 100644 phpBB/cache/web.config
 delete mode 100644 phpBB/files/web.config
 delete mode 100644 phpBB/images/avatars/upload/web.config
 delete mode 100644 phpBB/store/web.config

diff --git a/phpBB/cache/web.config b/phpBB/cache/web.config
deleted file mode 100644
index 278494bafc..0000000000
--- a/phpBB/cache/web.config
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration>
-	<system.webServer>
-		<rewrite>
-			<rules>
-				<rule name="phpBB Default Rule" stopProcessing="true">
-					<match url=".*" />
-					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
-				</rule>
-			</rules>
-		</rewrite>
-	</system.webServer>
-</configuration>
\ No newline at end of file
diff --git a/phpBB/files/web.config b/phpBB/files/web.config
deleted file mode 100644
index 278494bafc..0000000000
--- a/phpBB/files/web.config
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration>
-	<system.webServer>
-		<rewrite>
-			<rules>
-				<rule name="phpBB Default Rule" stopProcessing="true">
-					<match url=".*" />
-					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
-				</rule>
-			</rules>
-		</rewrite>
-	</system.webServer>
-</configuration>
\ No newline at end of file
diff --git a/phpBB/images/avatars/upload/web.config b/phpBB/images/avatars/upload/web.config
deleted file mode 100644
index 278494bafc..0000000000
--- a/phpBB/images/avatars/upload/web.config
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration>
-	<system.webServer>
-		<rewrite>
-			<rules>
-				<rule name="phpBB Default Rule" stopProcessing="true">
-					<match url=".*" />
-					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
-				</rule>
-			</rules>
-		</rewrite>
-	</system.webServer>
-</configuration>
\ No newline at end of file
diff --git a/phpBB/store/web.config b/phpBB/store/web.config
deleted file mode 100644
index 278494bafc..0000000000
--- a/phpBB/store/web.config
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration>
-	<system.webServer>
-		<rewrite>
-			<rules>
-				<rule name="phpBB Default Rule" stopProcessing="true">
-					<match url=".*" />
-					<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page." />
-				</rule>
-			</rules>
-		</rewrite>
-	</system.webServer>
-</configuration>
\ No newline at end of file

From 8612fc23d4d7ca90ea80e5a12e7bd51ed315e0dd Mon Sep 17 00:00:00 2001
From: Chris Smith <toonarmy@phpbb.com>
Date: Wed, 28 Apr 2010 19:20:54 +0100
Subject: [PATCH 4/5] [ticket/9520] New web.config file as suggested by
 Microsoft using request filter

PHPBB3-9520
---
 phpBB/web.config | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/phpBB/web.config b/phpBB/web.config
index 7f2b40ec1b..e374e611f6 100644
--- a/phpBB/web.config
+++ b/phpBB/web.config
@@ -1,17 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <configuration>
 	<system.webServer>
-		<rewrite>
-			<rules>
-				<rule name="phpBB config.php Rule" patternSyntax="Wildcard" stopProcessing="true">
-					<match url="*config.php" />
-					<action type="AbortRequest" />
-				</rule>
-				<rule name="phpBB common.php Rule" patternSyntax="Wildcard" stopProcessing="true">
-					<match url="*common.php" />
-					<action type="AbortRequest" />
-				</rule>
-			</rules>
-		</rewrite>
+		<security>
+			<requestFiltering>
+				<hiddenSegments>
+					<add segment="cache" />
+					<add segment="files" />
+					<add segment="store" />­
+				</hiddenSegments>
+			</requestFiltering>
+		</security>
 	</system.webServer>
+	<location path="images/avatars">
+		<system.webServer>
+			<security>
+				<requestFiltering>
+					<hiddenSegments>
+						<add segment="upload" />
+					</hiddenSegments>
+				</requestFiltering>
+			</security>
+		</system.webServer>
+	</location>
 </configuration>

From 43f47dba4c8e43b286391748763c00d3e949564b Mon Sep 17 00:00:00 2001
From: Chris Smith <toonarmy@phpbb.com>
Date: Wed, 28 Apr 2010 19:22:10 +0100
Subject: [PATCH 5/5] [ticket/9520] Additionally filter requests for
 {common,config}.php

PHPBB3-9520
---
 phpBB/web.config | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/phpBB/web.config b/phpBB/web.config
index e374e611f6..128fe3c98f 100644
--- a/phpBB/web.config
+++ b/phpBB/web.config
@@ -7,6 +7,8 @@
 					<add segment="cache" />
 					<add segment="files" />
 					<add segment="store" />­
+					<add segment="config.php" />
+					<add segment="common.php" />
 				</hiddenSegments>
 			</requestFiltering>
 		</security>