Howdy,
I've sent this to the roundcube list few days ago, no-one replied so ,
since its also apache related, I'll ask here.
<paste of message>
Trying to understand the new "security" rules in .htaccess
- deny access to files not containing a dot or starting with a dot
# in all locations except installer directory
RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
This doesn't quite make sense, we have a help/ directory, which is not
accessible because of this rule yet all files in that directory are
foo.img or index.php, bar.php
change to
RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F]
permits our help/ directory to be read, this is sub optimum because it
will be overwrite at next update again, does someone with good
knowledge of rewrite rules able to shed some light on this?
<end paste>
So are roundcube folk doing it wrong?
The entire rewrite rule section is (although my problem is fixed by
only the above line, but in case there is a relation I'll include the
full bit here:
RewriteEngine On
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
# security rules:
# - deny access to files not containing a dot or starting with a dot
# in all locations except installer directory
#RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F] <---
this does NOT work
RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F] <--- this works
# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
- [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$
- [F]
Thanks.
Nik
|