Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EZP-31519: Moved app.php rejection snippet from front controller to ezpublish-kernel #514

Merged
merged 1 commit into from
Apr 1, 2020
Merged

EZP-31519: Moved app.php rejection snippet from front controller to ezpublish-kernel #514

merged 1 commit into from
Apr 1, 2020

Conversation

webhdx
Copy link
Contributor

@webhdx webhdx commented Mar 26, 2020

JIRA: https://jira.ez.no/browse/EZP-31519

I've changed the rule in vhost.template files in order to unify logic in both places. This way we can block some requests on httpd level.

Rejection logic has been moved to: ezsystems/ezpublish-kernel#3010

@webhdx webhdx self-assigned this Mar 26, 2020
@mnocon mnocon assigned webhdx and mnocon and unassigned webhdx Mar 27, 2020
mnocon
mnocon reviewed Mar 29, 2020
View reviewed changes
Copy link
Member

@mnocon mnocon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On nginx/apache this regex blocks paths like:

http://example.com/app.php
http://example.com/TestFolder1/app.php

(where TestFolder1 and TestFolder2 are existing Content Items)

But fails to block (homepage is displayed instead):

http://example.com/TestFolder1/TestFolder2/app.php
http://example.com/app.phprandom

Writing it here as I'm not sure what's supposed to be blocked, maybe this kind of URLs should be rejected as well.

@glye
Copy link
Member

glye commented Mar 30, 2020
edited
Loading

As I recall, this is as intended. The point is to block all direct access to app.php, while not blocking content named *app.php*. If in doubt, better to block too much than too little.

@webhdx
Copy link
Contributor Author

webhdx commented Mar 30, 2020
edited
Loading

I just moved the logic from EZP-30716. If this should be changed then we need new ticket and this should be done after 3.0 release as this is the highest priority at the moment. I need this to be merged in order to merge it up to 2.5 and master.

ping @lserwatka

EDIT: Let's hold on for a moment. I haven't notice reported issues in ezsystems/ezpublish-kernel#3010

@webhdx
Copy link
Contributor Author

webhdx commented Apr 1, 2020

@mnocon Can I get final approval from you? We need to merge it.

@webhdx webhdx merged commit 6325bca into ezsystems:1.13 Apr 1, 2020
@webhdx webhdx deleted the reject_front_controller branch April 1, 2020 10:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mnocon mnocon mnocon approved these changes

@alongosz alongosz alongosz approved these changes

@damianz5 damianz5 damianz5 approved these changes

@glye glye glye approved these changes

@adamwojs adamwojs adamwojs approved these changes

@lserwatka lserwatka Awaiting requested review from lserwatka

@mikadamczyk mikadamczyk Awaiting requested review from mikadamczyk

@Nattfarinn Nattfarinn Awaiting requested review from Nattfarinn

@ViniTou ViniTou Awaiting requested review from ViniTou

@michal-myszka michal-myszka Awaiting requested review from michal-myszka

Assignees

@webhdx webhdx

@mnocon mnocon

Labels
Improvement Ready for review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@webhdx @glye @adamwojs @damianz5 @alongosz @mnocon