Secure errors directory

[schmengler]

Description (*)

For Apache: deny access to XML and PHTML files within errors directory (pub/errors/.htaccess)
For Nginx: deny access to PHTML files in general and XML files within errors directory (nginx.conf.sample)

Fixed Issues (if relevant)

1. errors/local.xml and error page templates are publicly accessible #20209: errors/local.xml and error page templates are publicly accessible

Manual testing scenarios (*)

See issue #20209

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• All automated tests passed successfully (all builds on Travis CI are green)

[magento-engcom-team]

Hi @schmengler. Thank you for your contribution
Here is some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento-engcom-team give me test instance - deploy test instance based on PR changes
• @magento-engcom-team give me 2.3-develop instance - deploy vanilla Magento instance

For more details, please, review the Magento Contributor Assistant documentation

[schmengler]

@magento-engcom-team give me test instance

[magento-engcom-team]

Hi @schmengler. Thank you for your request. I'm working on Magento instance for you

[magento-engcom-team]

Hi @schmengler, here is your new Magento instance.
Admin access: https://pr-20212.instances.magento-community.engineering/admin
Login: admin Password: 123123q

[schmengler]

Confirmed on test instance:

Before

• https://i-20209-2-3-0.instances.magento-community.engineering/pub/errors/design.xml
• https://i-20209-2-3-0.instances.magento-community.engineering/pub/errors/default/page.phtml

After:

• https://pr-20212.instances.magento-community.engineering/pub/errors/design.xml => 404
• https://pr-20212.instances.magento-community.engineering/pub/errors/default/page.phtml => 404

[orlangur]

@schmengler maybe forbid both xml and phtml in both occurrences here?

[schmengler]

I was tempted to, but not sure if that could block legit requests

[wigman]

wouldn't that block sitemaps?

[orlangur]

@schmengler, ok, noticed

For Nginx: deny access to PHTML files in general and XML files within errors directory (nginx.conf.sample)

Do we need to give access for some xml in reality?

[orlangur]

Thanks @wigman!) That's the case.

[davidverholen]

although they should not be, sitemaps can be named dynamically so this is not possible I guess?
so for now maybe only excluding .xml in the errors directory could do it?

[orlangur]

@davidverholen aren't they placed in some specific directory with name corresponding to some mask?

[davidverholen]

you can choose a relative path and filename under the pub directory, so it's not possible to determine (at least by filename)

[davidverholen]

maybe a solution could be, to block the errors directory completely and only explicitly allow files that need to be public? Could be difficult for custom error themes as they lie in sub directories of errors and also can be named dynamically

[schmengler]

I don't see a satisfying general solution here yet

[orlangur]

@schmengler changes looks good to me, can you squash them into one commit maybe specifying all three points in commit message? Changes in general look atomic to me and does not require splittin into few commits.

[schmengler]

@orlangur OK, squashed

[magento-engcom-team]

Hi @orlangur, thank you for the review.
ENGCOM-4562 has been created to process this Pull Request

[soleksii]

✔️ QA Passed

Result:

[ghost]

Hi @schmengler, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.