From e2828ed1551cf9240bcdbfbd1bfe1f4ac0d002d7 Mon Sep 17 00:00:00 2001 From: Kijin Sung Date: Sat, 18 Jun 2016 13:16:02 +0900 Subject: [PATCH] Improve precision and security of .htaccess and nginx configuration - Block direct access to HTML and XML files in all modules, themes, etc. - Block direct access to environment information in files/env/* - Block direct access to dotfiles and other developer resources - Block direct access to cache store - Block PHP execution in upload directory (for additional protection) - Ensure consitency between Apache and nginx rewrite rules - Remove redundant rewrite rules --- .htaccess | 20 ++++++-------- common/manual/server_config/rhymix-nginx.conf | 26 +++++++++++++------ 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/.htaccess b/.htaccess index 31276ebc4..aacc89fd1 100644 --- a/.htaccess +++ b/.htaccess @@ -1,21 +1,17 @@ RewriteEngine On -# reserve Rhymix Layout Template Source File (*.html) -RewriteRule ^(common|layouts|m.layouts)/(.+)\.html$ - [L,F] -# reserve Rhymix Template Source Files (*.html) -RewriteCond %{REQUEST_URI} !/modules/editor/ -RewriteRule /(skins|m.skins)/(.+)\.html$ - [L,F] - -# conf, query, schema -RewriteRule ^(modules|addons|widgets)/(.+)/(conf|queries|schemas)/(.+)\.xml$ ./index.php [L] +# block direct access to templates, XML schema files, config files, dotfiles, environment, etc. +RewriteCond %{REQUEST_URI} !/modules/editor/(skins|styles)/ +RewriteRule ^(addons|common|files/ruleset|(m\.)?layouts|modules|plugins|themes|widgets|widgetstyles)/.+\.(html|xml)$ - [L,F] +RewriteRule ^files/(attach|config|cache/store)/.+\.php$ - [L,F] +RewriteRule ^files/env/ - [L,F] +RewriteRule ^(\.|codeception\.|composer\.|Gruntfile\.js|package\.json|CONTRIBUTING|COPYRIGHT|LICENSE|README) - [L,F] # static files RewriteCond %{SCRIPT_FILENAME} !-f -RewriteRule ^(.+)/files/(member_extra_info|attach|cache|faceOff)/(.*) ./files/$2/$3 [L] -RewriteCond %{SCRIPT_FILENAME} !-f -RewriteRule ^(.+)/(files|modules|widgets|widgetstyles|layouts|m.layouts|addons)/(.*) ./$2/$3 [L] +RewriteRule ^(.+)/(addons|files|layouts|m\.layouts|modules|widgets|widgetstyles)/(.*) ./$2/$3 [L] -# rss , blogAPI +# rss, blogAPI RewriteRule ^(rss|atom)$ ./index.php?module=rss&act=$1 [L] RewriteRule ^([a-zA-Z0-9_]+)/(rss|atom|api)$ ./index.php?mid=$1&act=$2 [L] RewriteRule ^([a-zA-Z0-9_]+)/([a-zA-Z0-9_]+)/(rss|atom|api)$ ./index.php?vid=$1&mid=$2&act=$3 [L] diff --git a/common/manual/server_config/rhymix-nginx.conf b/common/manual/server_config/rhymix-nginx.conf index 1c6920eb7..5019dbd3d 100644 --- a/common/manual/server_config/rhymix-nginx.conf +++ b/common/manual/server_config/rhymix-nginx.conf @@ -1,12 +1,22 @@ -# conf, query, schema, skins, layouts, m.layouts -rewrite ^/(modules|addons|widgets|(m\.)?layouts)/(.+)\.(html|xml)$ /index.php last; +# block direct access to templates, XML schemas, config files, dotfiles, environment info, etc. +location ~ ^/modules/editor/(skins|styles)/.+\.html$ { + # pass +} +location ~ ^/(addons|common|files/ruleset|(m\.)?layouts|modules|plugins|themes|widgets|widgetstyles)/.+\.(html|xml)$ { + return 403; +} +location ~ ^/files/(attach|config|cache/store)/.+\.php$ { + return 403; +} +location ~ ^/files/env/ { + return 403; +} +location ~ ^/(\.|codeception\.|composer\.|Gruntfile\.js|package\.json|CONTRIBUTING|COPYRIGHT|LICENSE|README) { + return 403; +} -# reserve setting files -rewrite ^/files/config/(.+)\.php$ /index.php last; - -# static files -rewrite ^/(.+)/files/(member_extra_info|attach|cache|faceOff)/(.*) /files/$2/$3 last; -rewrite ^/(.+)/(files|modules|widgets|widgetstyles|layouts|m.layouts|addons)/(.*) /$2/$3 last; +# fix incorrect relative URLs (for legacy support) +rewrite ^/(.+)/(addons|files|layouts|m\.layouts|modules|widgets|widgetstyles)/(.*) /$2/$3 last; # rss, blogAPI rewrite ^/(rss|atom)$ /index.php?module=rss&act=$1 last;