2498 - restrict access to assets into env-*

- allow static content within datamodels/ and extensions/ (reason: the setup make use of images within this directory) - simplified .htaccess and web.content generation during the compilation - it now also allow fonts
2026-02-12 23:14:18 +01:00 · 2019-10-30 09:44:28 +01:00
parent 358adb2109
commit 0d13d9eabe
5 changed files with 74 additions and 82 deletions
--- a/extensions/.htaccess
+++ b/extensions/.htaccess
@@ -1,13 +1,20 @@
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Require all granted
+	</FilesMatch>
 </ifModule>

 # Apache 2.2
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Order Allow,Deny
+	    Allow from all
+	</FilesMatch>
 </ifModule>

 # Apache 2.2 and 2.4
-IndexIgnore *
+IndexIgnore *
--- a/extensions/web.config
+++ b/extensions/web.config
@@ -1,8 +1,26 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
  <system.web>
-          <authorization>
-                  <deny users="*" /> <!-- Denies all users -->
-          </authorization>
+      <security>
+         <requestFiltering>
+            <fileExtensions applyToWebDAV="false" allowUnlisted="false" >
+               <add fileExtension=".css" allowed="true" />
+               <add fileExtension=".scss" allowed="true" />
+               <add fileExtension=".js" allowed="true" />
+               <add fileExtension=".png" allowed="true" />
+               <add fileExtension=".bmp" allowed="true" />
+               <add fileExtension=".gif" allowed="true" />
+               <add fileExtension=".jpeg" allowed="true" />
+               <add fileExtension=".jpg" allowed="true" />
+               <add fileExtension=".svg" allowed="true" />
+               <add fileExtension=".tiff" allowed="true" />
+
+               <add fileExtension=".woff" allowed="true" />
+               <add fileExtension=".woff2" allowed="true" />
+               <add fileExtension=".ttf" allowed="true" />
+               <add fileExtension=".eot" allowed="true" />
+            </fileExtensions>
+         </requestFiltering>
+      </security>
  </system.web>
 </configuration>