2498 - restrict access to assets into env-*

- allow static content within datamodels/ and extensions/ (reason: the setup make use of images within this directory)
 - simplified .htaccess and web.content generation during the compilation
 - it now also allow fonts

datamodels/.htaccess

@@ -1,12 +1,19 @@
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Require all granted
+	</FilesMatch>
 </ifModule>
 
 # Apache 2.2
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Order Allow,Deny
+	    Allow from all
+	</FilesMatch>
 </ifModule>
 
 # Apache 2.2 and 2.4

datamodels/web.config

@@ -1,8 +1,26 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <system.web>
-          <authorization>
-                  <deny users="*" /> <!-- Denies all users -->
-          </authorization>
+      <security>
+         <requestFiltering>
+            <fileExtensions applyToWebDAV="false" allowUnlisted="false" >
+               <add fileExtension=".css" allowed="true" />
+               <add fileExtension=".scss" allowed="true" />
+               <add fileExtension=".js" allowed="true" />
+               <add fileExtension=".png" allowed="true" />
+               <add fileExtension=".bmp" allowed="true" />
+               <add fileExtension=".gif" allowed="true" />
+               <add fileExtension=".jpeg" allowed="true" />
+               <add fileExtension=".jpg" allowed="true" />
+               <add fileExtension=".svg" allowed="true" />
+               <add fileExtension=".tiff" allowed="true" />
+
+               <add fileExtension=".woff" allowed="true" />
+               <add fileExtension=".woff2" allowed="true" />
+               <add fileExtension=".ttf" allowed="true" />
+               <add fileExtension=".eot" allowed="true" />
+            </fileExtensions>
+         </requestFiltering>
+      </security>
   </system.web>
 </configuration>

extensions/.htaccess

@@ -1,12 +1,19 @@
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Require all granted
+	</FilesMatch>
 </ifModule>
 
 # Apache 2.2
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Order Allow,Deny
+	    Allow from all
+	</FilesMatch>
 </ifModule>
 
 # Apache 2.2 and 2.4

extensions/web.config

@@ -1,8 +1,26 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
   <system.web>
-          <authorization>
-                  <deny users="*" /> <!-- Denies all users -->
-          </authorization>
+      <security>
+         <requestFiltering>
+            <fileExtensions applyToWebDAV="false" allowUnlisted="false" >
+               <add fileExtension=".css" allowed="true" />
+               <add fileExtension=".scss" allowed="true" />
+               <add fileExtension=".js" allowed="true" />
+               <add fileExtension=".png" allowed="true" />
+               <add fileExtension=".bmp" allowed="true" />
+               <add fileExtension=".gif" allowed="true" />
+               <add fileExtension=".jpeg" allowed="true" />
+               <add fileExtension=".jpg" allowed="true" />
+               <add fileExtension=".svg" allowed="true" />
+               <add fileExtension=".tiff" allowed="true" />
+
+               <add fileExtension=".woff" allowed="true" />
+               <add fileExtension=".woff2" allowed="true" />
+               <add fileExtension=".ttf" allowed="true" />
+               <add fileExtension=".eot" allowed="true" />
+            </fileExtensions>
+         </requestFiltering>
+      </security>
   </system.web>
 </configuration>

setup/compiler.class.inc.php

@@ -225,48 +225,8 @@ class MFCompiler
 		$iStart = strlen(realpath(APPROOT));
 		$sRelFinalTargetDir = substr($sFinalTargetDir, strlen(APPROOT));
 
-		$sModuleDesignDir = $sTempTargetDir.'/core/module_designs/';
-		SetupUtils::builddir($sModuleDesignDir);
-
-		$sModuleDesignHtaccessFileName = $sModuleDesignDir.'.htaccess';
-		$sModuleDesignHtaccessFileContent = <<<EOF
-# This file was automatically generated by iTop.
-
-# Apache 2.4
-<ifModule mod_authz_core.c>
-Require all denied
-</ifModule>
-
-# Apache 2.2
-<ifModule !mod_authz_core.c>
-deny from all
-Satisfy All
-</ifModule>
-
-# Apache 2.2 and 2.4
-IndexIgnore *
-
-
-EOF;
-		$this->WriteFileIfNotExists($sModuleDesignHtaccessFileName, $sModuleDesignHtaccessFileContent);
-		unset($sModuleDesignHtaccessFileContent, $sModuleDesignHtaccessFileName);
-
-		$sModuleDesignHtaccessFileName = $sModuleDesignDir.'web.config';
-		$sModuleDesignHtaccessFileContent = <<<XML
-<?xml version="1.0" encoding="utf-8" ?>
-<!-- This file was automatically generated by iTop -->
-<configuration>
-  <system.web>
-          <authorization>
-                  <deny users="*" /> <!-- Denies all users -->
-          </authorization>
-  </system.web>
-</configuration>
-
-XML;
-		$this->WriteFileIfNotExists($sModuleDesignHtaccessFileName, $sModuleDesignHtaccessFileContent);
-		unset($sModuleDesignHtaccessFileContent, $sModuleDesignHtaccessFileName);
-
+		$this->WriteStaticOnlyHtaccess($sTempTargetDir);
+		$this->WriteStaticOnlyWebConfig($sTempTargetDir);
 
 		foreach($aModules as $foo => $oModule)
 		{
@@ -290,8 +250,6 @@ XML;
 				// Push the other module files
 				SetupUtils::copydir($sModuleRootDir, $sTempTargetDir.'/'.$sRelativeDir, $bUseSymbolicLinks);
 
-				$this->WriteModuleHtaccess($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion);
-				$this->WriteModuleWebConfig($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion);
 
 
 			}
@@ -2944,14 +2902,9 @@ EOF;
 	 * @return bool|int
 	 * @throws \Exception
 	 */
-	protected function WriteFileIfNotExists($sFilename, $sContent)
+	protected function WriteFile($sFilename, $sContent, $flags = null)
 	{
-		if (file_exists($sFilename))
-		{
-			return false;
-		}
-
-		$ret = file_put_contents($sFilename, $sContent);
+		$ret = file_put_contents($sFilename, $sContent, $flags);
 		if ($ret === false)
 		{
 			$iLen = strlen($sContent);
@@ -2961,7 +2914,7 @@ EOF;
 		}
 
 		return $ret;
-}
+	}
 
 	/**
 	 * if no ".htaccess" is present, add a generic one prohibiting access to potentially sensible files (ie: even if it is quite a bad practice, it may happen that a developer put a secret into the xml)
@@ -2969,20 +2922,17 @@ EOF;
 	 * @param $sTempTargetDir
 	 * @param $sFinalTargetDir
 	 * @param $sRelativeDir
-	 * @param $sModuleName
-	 * @param $sModuleVersion
 	 *
 	 * @throws \Exception
 	 */
-	protected function WriteModuleHtaccess($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion)
+	protected function WriteStaticOnlyHtaccess($sTempTargetDir)
 	{
 		$sContent = <<<EOF
-# This file was automatically generated by iTop, because there was no .htaccess in this module {$sModuleName}/{$sModuleVersion}
 
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
-	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff)$">
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
 	    Require all granted
 	</FilesMatch>
 </ifModule>
@@ -2991,7 +2941,7 @@ Require all denied
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
-	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff)$">
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
 	    Order Allow,Deny
 	    Allow from all
 	</FilesMatch>
@@ -3002,13 +2952,7 @@ IndexIgnore *
 
 EOF;
 
-		$sFilename = $sTempTargetDir.'/'.$sRelativeDir.'/.htaccess';
-
-		$bWritten = $this->WriteFileIfNotExists($sFilename, $sContent);
-		if ($bWritten)
-		{
-			SetupLog::Warning("Added a generic .htaccess into {$sFinalTargetDir}/{$sRelativeDir} during the compilation.");;
-		}
+		$this->WriteFile("$sTempTargetDir/.htaccess", $sContent);
 	}
 
 	/**
@@ -3022,11 +2966,10 @@ EOF;
 	 *
 	 * @throws \Exception
 	 */
-	protected function WriteModuleWebConfig($sTempTargetDir, $sFinalTargetDir, $sRelativeDir, $sModuleName, $sModuleVersion)
+	protected function WriteStaticOnlyWebConfig($sTempTargetDir)
 	{
 		$sContent = <<<EOF
 <?xml version="1.0" encoding="utf-8" ?>
-<!-- This file was automatically generated by iTop, because there was no web.config in this module {$sModuleName}/{$sModuleVersion} -->
 <configuration>
   <system.webServer>
       <security>
@@ -3042,6 +2985,11 @@ EOF;
                <add fileExtension=".jpg" allowed="true" />
                <add fileExtension=".svg" allowed="true" />
                <add fileExtension=".tiff" allowed="true" />
+               
+               <add fileExtension=".woff" allowed="true" />
+               <add fileExtension=".woff2" allowed="true" />
+               <add fileExtension=".ttf" allowed="true" />
+               <add fileExtension=".eot" allowed="true" />
             </fileExtensions>
          </requestFiltering>
       </security>
@@ -3050,12 +2998,6 @@ EOF;
 
 EOF;
 
-		$sFilename = $sTempTargetDir.'/'.$sRelativeDir.'/web.config';
-
-		$bWritten = $this->WriteFileIfNotExists($sFilename, $sContent);
-		if ($bWritten)
-		{
-			SetupLog::Warning("Added a generic web.config into {$sFinalTargetDir}/{$sRelativeDir} during the compilation.");;
-		}
+		$this->WriteFile("$sTempTargetDir/web.config", $sContent);
 	}
 }