Security: Update PHP files extension matching pattern in .htaccess and documentation to match all possible forms supported by PHP 5 and PHP 7.

7 years ago · d5129ad7ed
parent 1c27a8b42a
commit d5129ad7ed
2 changed files with 8 additions and 8 deletions
--- a/.htaccess
+++ b/.htaccess
@ -9,10 +9,10 @@
 RewriteEngine on

 # Prevent execution of PHP from directories used for different types of uploads
-RedirectMatch 403 ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$
-RedirectMatch 403 ^/main/default_course_document/images/.*\.(php|php4|php5)$
-RedirectMatch 403 ^/main/lang/.*\.(php|php4|php5)$
-RedirectMatch 403 ^/web/css/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/app/(cache|courses|home|logs|upload)/.*\.ph(p[3457]?|t|tml|ar)$
+RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
+RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
+RedirectMatch 403 ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$

 # http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
 RewriteCond %{QUERY_STRING} ^id=(.*)$
--- a/documentation/security.html
+++ b/documentation/security.html
@ -138,16 +138,16 @@ This will prevent direct access to your settings and make it seem totally the sa
        rules would have to be at the top of your location rules to take the
        highest priority:
        <pre>
-  location ~ ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$ {
+  location ~ ^/app/(cache|courses|home|logs|upload)/.*\.ph(p[3457]?|t|tml|ar)$ {
    deny all;
  }
-  location ~ ^/main/default_course_document/images/.*\.(php|php4|php5)$ {
+  location ~ ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$ {
    deny all;
  }
-  location ~ ^/main/lang/.*\.(php|php4|php5)$ {
+  location ~ ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$ {
    deny all;
  }
-  location ~ ^/web/css/.*\.(php|php4|php5)$ {
+  location ~ ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$ {
    deny all;
  }
        </pre>