From 385a84efe62a1910700465c1748e4036dc43bf18 Mon Sep 17 00:00:00 2001 From: Yannick Warnier Date: Tue, 24 Jul 2018 11:46:52 -0500 Subject: [PATCH] Security: Add app/Resources/public/css to the list of directories where execution of PHP is forbidden --- .htaccess | 2 +- documentation/security.html | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.htaccess b/.htaccess index c84dbea1e2..e91ea78d63 100755 --- a/.htaccess +++ b/.htaccess @@ -9,7 +9,7 @@ RewriteEngine on # Prevent execution of PHP from directories used for different types of uploads -RedirectMatch 403 ^/app/(cache|courses|home|logs|upload)/.*\.ph(p[3457]?|t|tml|ar)$ +RedirectMatch 403 ^/app/(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$ RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$ RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$ RedirectMatch 403 ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$ diff --git a/documentation/security.html b/documentation/security.html index bb1c1d9488..b1110194d2 100755 --- a/documentation/security.html +++ b/documentation/security.html @@ -122,6 +122,9 @@ This will prevent direct access to your settings and make it seem totally the sa <Directory /var/www/URL/app/upload> php_admin_value engine Off </Directory> + <Directory /var/www/URL/app/Resources/public/css> + php_admin_value engine Off + </Directory> <Directory /var/www/URL/main/default_course_document/images> php_admin_value engine Off </Directory> @@ -138,7 +141,7 @@ This will prevent direct access to your settings and make it seem totally the sa rules would have to be at the top of your location rules to take the highest priority: 
-  location ~ ^/app/(cache|courses|home|logs|upload)/.*\.ph(p[3457]?|t|tml|ar)$ {
+  location ~ ^/app/(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$ {
     deny all;
   }
   location ~ ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$ {