From b0caa5c68099e6f2f85a0a5e3f82eb5d0bd4922d Mon Sep 17 00:00:00 2001
From: sminnee <sminnee@467b73ca-7a2a-4603-9d3b-597d59a354a9>
Date: Tue, 19 Oct 2010 23:00:58 +0000
Subject: [PATCH] BUGFIX: Enhance the protection of the assets/ directory in
 both IIS and Apache by including a file type whitelist.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/phpinstaller/branches/2.4@112963 467b73ca-7a2a-4603-9d3b-597d59a354a9
---
 assets/.htaccess  | 35 ++++++++++++++++-
 assets/web.config | 97 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 130 insertions(+), 2 deletions(-)
 create mode 100644 assets/web.config

diff --git a/assets/.htaccess b/assets/.htaccess
index ac6412a..f86e6e2 100644
--- a/assets/.htaccess
+++ b/assets/.htaccess
@@ -1,2 +1,33 @@
-RemoveHandler .php .phtml .php3 .php4 .php5 .inc
-RemoveType .php .phtml .php3 .php4 .php5 .inc
+#
+# Whitelist appropriate assets files.
+# Note that you will need to maintain this whitelist yourself if you modify File::$allowed_extensions
+#
+# If you are not using Apache then you can ignore this file.
+# If you are using IIS then you should look at assets/web.config instead.
+#
+# To add an extension to the list, you need to put another string of the form "ext|" on the
+# FilesMatch line, inside the parentheses. 
+#
+# For example, to add *.exe files to list of downloadable assets, change this line: 
+#
+#   <FilesMatch "\.(html|htm|xhtml...
+#
+# To this:
+#
+#   <FilesMatch "\.(exe|html|htm|xhtml...
+#
+# Once you do this, visitors will be able to download *.exe files that are uploaded to the assets
+# directory.
+#
+Deny from all
+<FilesMatch "\.(html|htm|xhtml|js|css|bmp|png|gif|jpg|jpeg|ico|pcx|tif|tiff|au|mid|midi|mpa|mp3|ogg|m4a|ra|wma|wav|cda|avi|mpg|mpeg|asf|wmv|m4v|mov|mkv|mp4|swf|flv|ram|rm|doc|docx|txt|rtf|xls|xlsx|pages|ppt|pptx|pps|csv|cab|arj|tar|zip|zipx|sit|sitx|gz|tgz|bz2|ace|arc|pkg|dmg|hqx|jar|xml|pdf)$">
+	Allow from all
+</FilesMatch>
+
+# We disable PHP via several methods
+# Replace the handler with the default plaintext handler
+AddHandler default-handler php phtml php3 php4 php5 inc
+
+# Turn the PHP engine off
+php_flag engine off
+
diff --git a/assets/web.config b/assets/web.config
new file mode 100644
index 0000000..df26900
--- /dev/null
+++ b/assets/web.config
@@ -0,0 +1,97 @@
+<!--
+
+Configuration to whitelist appropriate asset files, for IIS.
+Note that you will need to maintain this whitelist yourself if you modify File::$allowed_extensions
+
+If you are not using IIS then you can ignore this file.
+If you are using Apache then you should look at assets/.htaccess instead.
+
+To add an extension to to the list, you will need to add another <add> entry inside the <fileExtensions>
+tag.
+
+For example, to add *.exe files to the list of downloadable assets, add this line below the
+<fileExtensions line>:
+
+    <add fileExtension=".exe" allowed="true" />
+
+Once you do this, visitors will be able to download *.exe files that are uploaded to the assets
+directory.
+
+-->
+<configuration>
+	<system.webServer>
+		<security>
+			<requestFiltering>
+				<fileExtensions allowUnlisted="false" applyToWebDAV="true">
+					<add fileExtension=".html" allowed="true" />
+					<add fileExtension=".htm" allowed="true" />
+					<add fileExtension=".xhtml" allowed="true" />
+					<add fileExtension=".js" allowed="true" />
+					<add fileExtension=".css" allowed="true" />
+					<add fileExtension=".bmp" allowed="true" />
+					<add fileExtension=".png" allowed="true" />
+					<add fileExtension=".gif" allowed="true" />
+					<add fileExtension=".jpg" allowed="true" />
+					<add fileExtension=".jpeg" allowed="true" />
+					<add fileExtension=".ico" allowed="true" />
+					<add fileExtension=".pcx" allowed="true" />
+					<add fileExtension=".tif" allowed="true" />
+					<add fileExtension=".tiff" allowed="true" />
+					<add fileExtension=".au" allowed="true" />
+					<add fileExtension=".mid" allowed="true" />
+					<add fileExtension=".midi" allowed="true" />
+					<add fileExtension=".mpa" allowed="true" />
+					<add fileExtension=".mp3" allowed="true" />
+					<add fileExtension=".ogg" allowed="true" />
+					<add fileExtension=".m4a" allowed="true" />
+					<add fileExtension=".ra" allowed="true" />
+					<add fileExtension=".wma" allowed="true" />
+					<add fileExtension=".wav" allowed="true" />
+					<add fileExtension=".cda" allowed="true" />
+					<add fileExtension=".avi" allowed="true" />
+					<add fileExtension=".mpg" allowed="true" />
+					<add fileExtension=".mpeg" allowed="true" />
+					<add fileExtension=".asf" allowed="true" />
+					<add fileExtension=".wmv" allowed="true" />
+					<add fileExtension=".m4v" allowed="true" />
+					<add fileExtension=".mov" allowed="true" />
+					<add fileExtension=".mkv" allowed="true" />
+					<add fileExtension=".mp4" allowed="true" />
+					<add fileExtension=".swf" allowed="true" />
+					<add fileExtension=".flv" allowed="true" />
+					<add fileExtension=".ram" allowed="true" />
+					<add fileExtension=".rm" allowed="true" />
+					<add fileExtension=".doc" allowed="true" />
+					<add fileExtension=".docx" allowed="true" />
+					<add fileExtension=".txt" allowed="true" />
+					<add fileExtension=".rtf" allowed="true" />
+					<add fileExtension=".xls" allowed="true" />
+					<add fileExtension=".xlsx" allowed="true" />
+					<add fileExtension=".pages" allowed="true" />
+					<add fileExtension=".ppt" allowed="true" />
+					<add fileExtension=".pptx" allowed="true" />
+					<add fileExtension=".pps" allowed="true" />
+					<add fileExtension=".csv" allowed="true" />
+					<add fileExtension=".cab" allowed="true" />
+					<add fileExtension=".arj" allowed="true" />
+					<add fileExtension=".tar" allowed="true" />
+					<add fileExtension=".zip" allowed="true" />
+					<add fileExtension=".zipx" allowed="true" />
+					<add fileExtension=".sit" allowed="true" />
+					<add fileExtension=".sitx" allowed="true" />
+					<add fileExtension=".gz" allowed="true" />
+					<add fileExtension=".tgz" allowed="true" />
+					<add fileExtension=".bz2" allowed="true" />
+					<add fileExtension=".ace" allowed="true" />
+					<add fileExtension=".arc" allowed="true" />
+					<add fileExtension=".pkg" allowed="true" />
+					<add fileExtension=".dmg" allowed="true" />
+					<add fileExtension=".hqx" allowed="true" />
+					<add fileExtension=".jar" allowed="true" />
+					<add fileExtension=".xml" allowed="true" />
+					<add fileExtension=".pdf" allowed="true" />
+				</fileExtensions>
+			</requestFiltering>
+		</security>
+	</system.webServer>
+</configuration>
\ No newline at end of file