API Filter composer files in IIS and Apache rules (fixes #8011)

They can expose version information, so shouldn't be accessible through the web. The better solution of course is to move to a public/ subfolder application structure.
2013-02-15 19:13:41 +01:00 · 2013-02-15 19:13:41 +01:00 · 23523175f3
parent 52590b9019
commit 23523175f3
2 changed files with 15 additions and 1 deletions
--- a/.htaccess
+++ b/.htaccess
@ -15,6 +15,8 @@ ErrorDocument 500 /assets/error-500.html

 <IfModule mod_alias.c>
 	RedirectMatch 403 /silverstripe-cache(/|$)
+	RedirectMatch 403 /vendor(/|$)
+	RedirectMatch 403 /composer\.(json|lock)
 </IfModule>

 <IfModule mod_rewrite.c>
--- a/web.config
+++ b/web.config
@ -1,5 +1,17 @@
-<?xml version="1.0" encoding="utf-8"?>
 <configuration>
 	<system.webServer>
+		<security>
+			<requestFiltering>
+				<hiddenSegments>
+					<add segment="silverstripe-cache/" />
+					<add segment="vendor" />
+					<add segment="composer.json" />
+					<add segment="composer.lock" />
+				</hiddenSegments>
+				<fileExtensions allowUnlisted="true" >
+					<add fileExtension=".ss" allowed="false"/>
+				</fileExtensions>
+			</requestFiltering>
+		</security>
 	</system.webServer>
 </configuration>