Merge pull request #6682 from marc1706/ticket/16213-master

[ticket/16213] Add .htaccess for phpbb and vendor folders -- master version
2025-06-07 20:08:53 +00:00 · 2024-07-28 20:56:10 +02:00 · 2024-07-28 20:56:10 +02:00 · f142f07f46
commit f142f07f46
parent 6747c4e62a 837939f28c
4 changed files with 34 additions and 3 deletions
--- a/build/build.xml
+++ b/build/build.xml
@ -181,7 +181,7 @@

 		<!-- create an empty config.php file (not for diffs) -->
 		<touch file="build/new_version/phpBB3/config.php" />
-		<copy file="build/new_version/phpBB3/phpbb/.htaccess" tofile="build/new_version/phpBB3/vendor/.htaccess" />
+		<copy file="build/new_version/phpBB3/vendor-ext/.htaccess" tofile="build/new_version/phpBB3/vendor/.htaccess" />

 	</target>

--- a/phpBB/docs/lighttpd.sample.conf
+++ b/phpBB/docs/lighttpd.sample.conf
@ -28,7 +28,7 @@ $HTTP["host"] == "www.myforums.com" {
 	accesslog.filename		= "/var/log/lighttpd/access-www.myforums.com.log"

 	# Deny access to internal phpbb files.
-	$HTTP["url"] =~ "^/(config|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
+	$HTTP["url"] =~ "^/(config|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor|vendor-ext)" {
 		url.access-deny = ( "" )
 	}

--- a/phpBB/docs/nginx.sample.conf
+++ b/phpBB/docs/nginx.sample.conf
@ -55,7 +55,7 @@ server {
 		}

 		# Deny access to internal phpbb files.
-		location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {
+		location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor|vendor-ext) {
 			deny all;
 			# deny was ignored before 0.8.40 for connections over IPv6.
 			# Use internal directive to prohibit access on older versions.
@ -92,4 +92,10 @@ server {
 		deny all;
 		internal;
 	}
+
+	# Deny access to apache configuration files.
+	location ~ /\.htaccess|/\.htpasswd|/\.htgroups {
+		deny all;
+		internal;
+	}
 }
--- a/phpBB/vendor-ext/.htaccess
+++ b/phpBB/vendor-ext/.htaccess
@ -0,0 +1,25 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_core.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		Order Allow,Deny
+		Deny from All
+	</IfVersion>
+	<IfVersion >= 2.4>
+		Require all denied
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		Order Allow,Deny
+		Deny from All
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+</IfModule>