Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block access to various project files #2359

Merged
merged 4 commits into from
Aug 10, 2022
Merged

Block access to various project files #2359

merged 4 commits into from
Aug 10, 2022

Conversation

colinmollenhour
Copy link
Member

Note, this blocks access to files of these types in directories other than the root directory as well.

@colinmollenhour
Block access to various project files
5b1a484 
Note, this blocks access to files of these types in directories other than the root directory as well.
@github-actions

This comment has been minimized.

Sign in to view
fballiano
fballiano previously approved these changes Aug 3, 2022
View reviewed changes
@elidrissidev
Copy link
Member

Not sure about JSON files (other than composer.json of course), I've seen many extensions with that provide such files that are loaded from the frontend.

@fballiano
Copy link
Contributor

@elidrissidev is totally right, we should block every json, we could have a manifest.json for pwa support.

@fballiano fballiano self-requested a review August 5, 2022 15:09
@colinmollenhour
Copy link
Member Author

we should block every json

I assume you meant not block?
I see no problem with allowing common files like manifest.json

@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions

This comment has been minimized.

Sign in to view
@colinmollenhour
Copy link
Member Author

I added a negative lookbehind for manifest.json specifically. Is that good or would you prefer to explicitly block only certain files?

I think in a production environment it is likely the user will need to modify this file anyway...

@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions

This comment has been minimized.

Sign in to view
@ADDISON74
Copy link
Contributor

  1. I would add sh to the list of extensions. So that it can no longer check the existence of the file cron.sh, used internally within the cronjob. Other extensions that can be found in OpenMage should also be analyzed, for example csv (exports), log. Even if some directories have protections in their own .htaccess files, an extra measure is welcome.

  2. And a harmless proposal Order and Deny with a capital letter. The initial Magento file complied with this requirement, but the RELEASE_NOTES chunk was added later in OpenMage and someone introduced lowercases.

@OpenMage OpenMage deleted a comment from colinmollenhour Aug 8, 2022
@fballiano
Copy link
Contributor

I assume you meant not block? I see no problem with allowing common files like manifest.json

yes sorry for the mistake.

fballiano
fballiano previously approved these changes Aug 8, 2022
View reviewed changes
@colinmollenhour
Copy link
Member Author

Changed capitalization and added .sh and .yaml to list of blocked extensions.

@github-actions

This comment has been minimized.

Sign in to view
1 similar comment
@github-actions

This comment has been minimized.

Sign in to view
@fballiano fballiano merged commit 1791fcc into 1.9.4.x Aug 10, 2022
@fballiano fballiano deleted the htaccess-block-project-files branch August 10, 2022 08:27
@github-actions
Copy link
Contributor

Unit Test Results

1 files  ±0  1 suites  ±0   0s ⏱️ ±0s
0 tests ±0  0 ✔️ ±0  0 💤 ±0  0 ❌ ±0 
7 runs  ±0  5 ✔️ ±0  2 💤 ±0  0 ❌ ±0 

Results for commit 1791fcc. ± Comparison against base commit 35acb46.

sreichel added a commit that referenced this pull request Aug 12, 2022
@fballiano @sreichel
@Schrank @colinmollenhour @Sdfendor @kiatng @discountscott @ADDISON74 @justinbeaty @luigifab @Flyingmana @leissbua
Merge v19 into v20 (#2370)
71998f5 
* Merge PR #2342

* Revert "Add basic text for Ukraine (#2074)" (#2325)

This reverts commit 33dfa26.

* Mage_Catalog_Model_Product_Attribute_Backend_Groupprice_Abstract: avoid loading all websites when using only the current one (#2351)

* Added support for HTTP2 to Mage_HTTP_Client_Curl (#1137)

* Blocked access to all dot files (#2349)

* Capitalization Adjustment Regarding CamelCase in Method Names (#2365)

* refactor: Adjusted capitalization of two public methods.

* refactor: Adjusted capitalization of one protected method.

* refactor: Adjusted capitalization of where call.

* chore: Removed fixed error from phpstan baseline.

* Some microoptimization (#2335)

* Avoid duplicate method calls

* Replaced array_push()

* Changed substr() third parameter

* Use array_key_exists()

* php7 opcode - internal functions

* Enclosed error with <pre> tag for prettier error print (if developer mode is enabled). (#2368)

* Updated phpstan to 1.8.2 (#2367)

* Escape product titles in MSRP JavaScript (#2366)

* Product names were not escaped. If contained a double quote, would break the JavaScript for MSRP/MAP

* update contribution list

* Update boxes.css (#2330)

* Force describeTable() to use read DB adapter (#2371)

* Do not install n98/n98_layouthelper (#2373)

* Add apt update to XML validation workflow (#2376)

* Merged PR #2375

* Replace remaining "sizeof" calls with "count" (#2369)

* Remove DISCLAIMER and change Magento -> OpenMage in header (#2297)

* Added label for phpstan cosmetic changes (#2384)

* Added weight to salesOrderShipmentAddTrack API (#1377)

* PHPStan/DOCBlock fixes (#2336)

* Updated docs for email addTo() (#2382)

* Updated phpstan experimental (#2386)

* Cosmetic changes to Mage_Payment_Model_Method_Abstract::validate() (#2388)

* Replaced join() calls with implode() (#2389)

* Hidden empty sub menu from backend (#2391)

* Remove Thumbs.db file (#2394)

* Support PHP 8.1 in composer.json (#2378)

* php condition in composer.json

This solves the issue related to php versions > 8.1

* Reduced condition for PHP requirement

* Changed PHP requirement

* Updated version in Ubuntu 22.04 based on PHP 8.1.2

* Composer.lock updated in Ubuntu 20.04 (PHP 8.1.2)

* Update composer.lock

* Update composer.lock

* Blocked various file types in .htaccess (#2359)

* Color swatches work with disparate product IDs (#2390)

* Move Credit Memo at the end of the buttons list (#2392)

* Version bump (#2387)

* Minor fixes on 'filter_condition_callback' method _filterStoreCondition() (#2362)

* add ReturnTypeWillChange to various Files catched by code style checker #2302

* Phpstan fixes (#2396)

* Fixed addCrumb()

* Fixed initForm() and _needToAddDummy()

* Fixed addLink()

* Fixed addLinkRel()

* Fixed canUseCanonicalTag()

* Fixed getAddUrl...()

* Fixed rollBack() camelCase error reported by phpstan (#2403)

* Changes default root dir in composer.json (#2401)

* Fixed targetNamespace for WS-I Compliant SOAP APIs (#2405)

* Updated phpstan baseline

Co-authored-by: sv3n <github-sr@hotmail.com>
Co-authored-by: Fabian Blechschmidt <github@fabian-blechschmidt.de>
Co-authored-by: Colin Mollenhour <colin@mollenhour.com>
Co-authored-by: Kevin Jakob <kevin-jakob@web.de>
Co-authored-by: Ng Kiat Siong <kiatsiong.ng@gmail.com>
Co-authored-by: Scott Moore <scott.moore@dfsupplyinc.com>
Co-authored-by: ADDISON <8360474+ADDISON74@users.noreply.github.com>
Co-authored-by: Justin Beaty <51970393+justinbeaty@users.noreply.github.com>
Co-authored-by: luigifab <31816829+luigifab@users.noreply.github.com>
Co-authored-by: Daniel Fahlke <flyingmana@googlemail.com>
Co-authored-by: leissbua <68073221+leissbua@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fballiano fballiano fballiano approved these changes

@ADDISON74 ADDISON74 ADDISON74 approved these changes

Assignees
No one assigned
Labels
htaccess
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@colinmollenhour @elidrissidev @fballiano @ADDISON74