From 84eb635d2c5b6c7578c366bc6ec9d19645d2fce3 Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 7 Jul 2024 15:24:34 +0200
Subject: [PATCH 1/2] [ticket/16213] Add .htaccess to vendor-ext as well

PHPBB-16213
---
 build/build.xml            |  2 +-
 phpBB/vendor-ext/.htaccess | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 phpBB/vendor-ext/.htaccess

diff --git a/build/build.xml b/build/build.xml
index d1eae7bd98..cf294e547e 100644
--- a/build/build.xml
+++ b/build/build.xml
@@ -181,7 +181,7 @@
 
 		<!-- create an empty config.php file (not for diffs) -->
 		<touch file="build/new_version/phpBB3/config.php" />
-		<copy file="build/new_version/phpBB3/phpbb/.htaccess" tofile="build/new_version/phpBB3/vendor/.htaccess" />
+		<copy file="build/new_version/phpBB3/vendor-ext/.htaccess" tofile="build/new_version/phpBB3/vendor/.htaccess" />
 
 	</target>
 
diff --git a/phpBB/vendor-ext/.htaccess b/phpBB/vendor-ext/.htaccess
new file mode 100644
index 0000000000..92e78ba1a7
--- /dev/null
+++ b/phpBB/vendor-ext/.htaccess
@@ -0,0 +1,25 @@
+# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
+# module mod_authz_host to a new module called mod_access_compat (which may be
+# disabled) and a new "Require" syntax has been introduced to mod_authz_core.
+# We could just conditionally provide both versions, but unfortunately Apache
+# does not explicitly tell us its version if the module mod_version is not
+# available. In this case, we check for the availability of module
+# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
+<IfModule mod_version.c>
+	<IfVersion < 2.4>
+		Order Allow,Deny
+		Deny from All
+	</IfVersion>
+	<IfVersion >= 2.4>
+		Require all denied
+	</IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+	<IfModule !mod_authz_core.c>
+		Order Allow,Deny
+		Deny from All
+	</IfModule>
+	<IfModule mod_authz_core.c>
+		Require all denied
+	</IfModule>
+</IfModule>

From 837939f28c81ee373cbdb419c312fec922fdfc0a Mon Sep 17 00:00:00 2001
From: Marc Alexander <admin@m-a-styles.de>
Date: Sun, 7 Jul 2024 15:26:33 +0200
Subject: [PATCH 2/2] [ticket/16213] Update nginx & lighttpd sample files as
 well

PHPBB-16213
---
 phpBB/docs/lighttpd.sample.conf | 2 +-
 phpBB/docs/nginx.sample.conf    | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/phpBB/docs/lighttpd.sample.conf b/phpBB/docs/lighttpd.sample.conf
index 1b57dd370c..fef922c2da 100644
--- a/phpBB/docs/lighttpd.sample.conf
+++ b/phpBB/docs/lighttpd.sample.conf
@@ -28,7 +28,7 @@ $HTTP["host"] == "www.myforums.com" {
 	accesslog.filename		= "/var/log/lighttpd/access-www.myforums.com.log"
 
 	# Deny access to internal phpbb files.
-	$HTTP["url"] =~ "^/(config|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
+	$HTTP["url"] =~ "^/(config|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor|vendor-ext)" {
 		url.access-deny = ( "" )
 	}
 
diff --git a/phpBB/docs/nginx.sample.conf b/phpBB/docs/nginx.sample.conf
index 8ee31b6d5e..ed1f25e023 100644
--- a/phpBB/docs/nginx.sample.conf
+++ b/phpBB/docs/nginx.sample.conf
@@ -55,7 +55,7 @@ server {
 		}
 
 		# Deny access to internal phpbb files.
-		location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {
+		location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor|vendor-ext) {
 			deny all;
 			# deny was ignored before 0.8.40 for connections over IPv6.
 			# Use internal directive to prohibit access on older versions.
@@ -92,4 +92,10 @@ server {
 		deny all;
 		internal;
 	}
+
+	# Deny access to apache configuration files.
+	location ~ /\.htaccess|/\.htpasswd|/\.htgroups {
+		deny all;
+		internal;
+	}
 }