Skip to content
Snippets Groups Projects
Unverified Commit 952c0866 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2989262 by Daniel Korte, Kristen Pol: Escape all RewriteCond/RewriteRule .htaccess dots

parent 38d02d6e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
.htaccess
+ 5
5
View file @ 952c0866
...@@ -116,13 +116,13 @@ AddEncoding gzip svgz ...@@ -116,13 +116,13 @@ AddEncoding gzip svgz
# RewriteBase / # RewriteBase /
# Redirect common PHP files to their new locations. # Redirect common PHP files to their new locations.
RewriteCond %{REQUEST_URI} ^(.*)?/(install.php) [OR] RewriteCond %{REQUEST_URI} ^(.*)?/(install\.php) [OR]
RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild.php) RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild\.php)
RewriteCond %{REQUEST_URI} !core RewriteCond %{REQUEST_URI} !core
RewriteRule ^ %1/core/%2 [L,QSA,R=301] RewriteRule ^ %1/core/%2 [L,QSA,R=301]
# Rewrite install.php during installation to see if mod_rewrite is working # Rewrite install.php during installation to see if mod_rewrite is working
RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L] RewriteRule ^core/install\.php core/install.php?rewrite=ok [QSA,L]
# Pass all requests not referring directly to files in the filesystem to # Pass all requests not referring directly to files in the filesystem to
# index.php. # index.php.
...@@ -138,11 +138,11 @@ AddEncoding gzip svgz ...@@ -138,11 +138,11 @@ AddEncoding gzip svgz
# Allow access to PHP files in /core (like authorize.php or install.php): # Allow access to PHP files in /core (like authorize.php or install.php):
RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$ RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
# Allow access to test-specific PHP files: # Allow access to test-specific PHP files:
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?\.php
# Allow access to Statistics module's custom front controller. # Allow access to Statistics module's custom front controller.
# Copy and adapt this rule to directly execute PHP files in contributed or # Copy and adapt this rule to directly execute PHP files in contributed or
# custom modules or to run another PHP application in the same directory. # custom modules or to run another PHP application in the same directory.
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$ RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics\.php$
# Deny access to any other PHP files that do not match the rules above. # Deny access to any other PHP files that do not match the rules above.
# Specifically, disallow autoload.php from being served directly. # Specifically, disallow autoload.php from being served directly.
RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F] RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]
......
core/assets/scaffold/files/htaccess
+ 5
5
View file @ 952c0866
...@@ -116,13 +116,13 @@ AddEncoding gzip svgz ...@@ -116,13 +116,13 @@ AddEncoding gzip svgz
# RewriteBase / # RewriteBase /
# Redirect common PHP files to their new locations. # Redirect common PHP files to their new locations.
RewriteCond %{REQUEST_URI} ^(.*)?/(install.php) [OR] RewriteCond %{REQUEST_URI} ^(.*)?/(install\.php) [OR]
RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild.php) RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild\.php)
RewriteCond %{REQUEST_URI} !core RewriteCond %{REQUEST_URI} !core
RewriteRule ^ %1/core/%2 [L,QSA,R=301] RewriteRule ^ %1/core/%2 [L,QSA,R=301]
# Rewrite install.php during installation to see if mod_rewrite is working # Rewrite install.php during installation to see if mod_rewrite is working
RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L] RewriteRule ^core/install\.php core/install.php?rewrite=ok [QSA,L]
# Pass all requests not referring directly to files in the filesystem to # Pass all requests not referring directly to files in the filesystem to
# index.php. # index.php.
...@@ -138,11 +138,11 @@ AddEncoding gzip svgz ...@@ -138,11 +138,11 @@ AddEncoding gzip svgz
# Allow access to PHP files in /core (like authorize.php or install.php): # Allow access to PHP files in /core (like authorize.php or install.php):
RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$ RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
# Allow access to test-specific PHP files: # Allow access to test-specific PHP files:
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?\.php
# Allow access to Statistics module's custom front controller. # Allow access to Statistics module's custom front controller.
# Copy and adapt this rule to directly execute PHP files in contributed or # Copy and adapt this rule to directly execute PHP files in contributed or
# custom modules or to run another PHP application in the same directory. # custom modules or to run another PHP application in the same directory.
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$ RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics\.php$
# Deny access to any other PHP files that do not match the rules above. # Deny access to any other PHP files that do not match the rules above.
# Specifically, disallow autoload.php from being served directly. # Specifically, disallow autoload.php from being served directly.
RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F] RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment