Security: add rules to .htaccess to prevent direct PHP execution from the corresponding directories and updates security.html with a missing change in the previous commit. Using security.html is still the recommended way to go for security, but in the absence of that, we want to make sure Chamilo is always more secure.

7 years ago · 1c27a8b42a
parent e7fcee62b0
commit 1c27a8b42a
2 changed files with 9 additions and 3 deletions
--- a/.htaccess
+++ b/.htaccess
@ -8,6 +8,12 @@

 RewriteEngine on

+# Prevent execution of PHP from directories used for different types of uploads
+RedirectMatch 403 ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/main/default_course_document/images/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/main/lang/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/web/css/.*\.(php|php4|php5)$
+
 # http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
 RewriteCond %{QUERY_STRING} ^id=(.*)$
 RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]
--- a/documentation/security.html
+++ b/documentation/security.html
@ -141,13 +141,13 @@ This will prevent direct access to your settings and make it seem totally the sa
  location ~ ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$ {
    deny all;
  }
-  location ~ ^/main/default_course_document/images/.*\.php$ {
+  location ~ ^/main/default_course_document/images/.*\.(php|php4|php5)$ {
    deny all;
  }
-  location ~ ^/main/lang/.*\.php$ {
+  location ~ ^/main/lang/.*\.(php|php4|php5)$ {
    deny all;
  }
-  location ~ ^/web/css/.*\.php$ {
+  location ~ ^/web/css/.*\.(php|php4|php5)$ {
    deny all;
  }
        </pre>