From a0566abffe872cca0a7e06eb2b4d08093f15fbda Mon Sep 17 00:00:00 2001 From: Fabian Schmengler Date: Fri, 11 Jan 2019 11:18:28 +0100 Subject: [PATCH] Deny access to XML and PHTML files in pub/errors For apache via .htaccess and in nginx sample configuration --- nginx.conf.sample | 7 ++++++- pub/errors/.htaccess | 3 +++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/nginx.conf.sample b/nginx.conf.sample index 90604808f6ec0..80cc88431eff8 100644 --- a/nginx.conf.sample +++ b/nginx.conf.sample @@ -159,6 +159,11 @@ location /media/downloadable/ { location /media/import/ { deny all; } +location /errors/ { + location ~* \.xml$ { + deny all; + } +} # PHP entry point for main application location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ { @@ -198,6 +203,6 @@ gzip_types gzip_vary on; # Banned locations (only reached if the earlier PHP entry point regexes don't match) -location ~* (\.php$|\.htaccess$|\.git) { +location ~* (\.php$|\.phtml$|\.htaccess$|\.git) { deny all; } diff --git a/pub/errors/.htaccess b/pub/errors/.htaccess index 3692dd439e2ff..a7b9cbda05893 100644 --- a/pub/errors/.htaccess +++ b/pub/errors/.htaccess @@ -1,4 +1,7 @@ Options None + + Deny from all + RewriteEngine Off