From 23523175f38a4aa5a21a6f98ef44918e2b6774f6 Mon Sep 17 00:00:00 2001
From: Ingo Schommer <ingo@silverstripe.com>
Date: Fri, 15 Feb 2013 19:13:41 +0100
Subject: [PATCH] API Filter composer files in IIS and Apache rules (fixes
 #8011)

They can expose version information, so shouldn't be accessible
through the web. The better solution of course is to move
to a public/ subfolder application structure.
---
 .htaccess  |  2 ++
 web.config | 14 +++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/.htaccess b/.htaccess
index 81ef22c..4cda2c7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -15,6 +15,8 @@ ErrorDocument 500 /assets/error-500.html
 
 <IfModule mod_alias.c>
 	RedirectMatch 403 /silverstripe-cache(/|$)
+	RedirectMatch 403 /vendor(/|$)
+	RedirectMatch 403 /composer\.(json|lock)
 </IfModule>
 
 <IfModule mod_rewrite.c>
diff --git a/web.config b/web.config
index a04afa1..1d956b5 100644
--- a/web.config
+++ b/web.config
@@ -1,5 +1,17 @@
-<?xml version="1.0" encoding="utf-8"?>
 <configuration>
 	<system.webServer>
+		<security>
+			<requestFiltering>
+				<hiddenSegments>
+					<add segment="silverstripe-cache/" />
+					<add segment="vendor" />
+					<add segment="composer.json" />
+					<add segment="composer.lock" />
+				</hiddenSegments>
+				<fileExtensions allowUnlisted="true" >
+					<add fileExtension=".ss" allowed="false"/>
+				</fileExtensions>
+			</requestFiltering>
+		</security>
 	</system.webServer>
 </configuration>
\ No newline at end of file