Merge pull request #2 from silverstripe-security/pulls/4.0/ss-2018-012

[ss-2018-012] Prevent php code execution in assets folder
2024-10-22 17:05:33 +02:00 · 2018-05-14 17:18:36 +12:00 · 2018-05-14 17:18:36 +12:00 · c6ff9b1245
commit c6ff9b1245
parent 81045f46c2 f9c03fa623
1 changed files with 10 additions and 5 deletions
--- a/assets/.htaccess
+++ b/assets/.htaccess
@ -4,6 +4,15 @@
 # See AssetAdapter::renderTemplate() for reference.
 #
 # We disable PHP via several methods
 # Replace the handler with the default plaintext handler
 AddHandler default-handler php phtml php3 php4 php5 inc
 <IfModule mod_php5.c>
    # Turn the PHP engine off
    php_flag engine off
 </IfModule>
 <IfModule mod_rewrite.c>
    <IfModule mod_env.c>
        SetEnv HTTP_MOD_REWRITE On
@ -11,16 +20,12 @@
    RewriteEngine On
    # Disable PHP handler
    RewriteCond %{REQUEST_URI} .(?i:php|phtml|php3|php4|php5|inc)$
    RewriteRule .* - [F]
    # Allow error pages
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule error[^\\/]*\.html$ - [L]
    # Block invalid file extensions
-    RewriteCond %{REQUEST_URI} !\.(?i:ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|css|csv|dmg|doc|docx|dotx|dotm|flv|gif|gpx|gz|hqx|ico|jar|jpeg|jpg|js|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|potm|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|xltm|zip|zipx)$
+    RewriteCond %{REQUEST_URI} !^[^.]*\.(?i:ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|css|csv|dmg|doc|docx|dotx|dotm|flv|gif|gpx|gz|hqx|ico|jar|jpeg|jpg|js|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|potm|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|xltm|zip|zipx)$
    RewriteRule .* - [F]
    # Non existant files passed to requesthandler