From 228a945da966f6b082418e3e35b35b83e18ed411 Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Thu, 14 May 2020 10:59:31 +0200
Subject: [PATCH] =?UTF-8?q?N=C2=B02984=20Security=20hardening?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitignore      |  6 +++++-
 conf/.htaccess  | 13 +++++++++++++
 conf/web.config | 13 +++++++++++++
 data/web.config | 17 +++++++++++------
 log/web.config  | 17 +++++++++++------
 5 files changed, 53 insertions(+), 13 deletions(-)
 create mode 100644 conf/.htaccess
 create mode 100644 conf/web.config

diff --git a/.gitignore b/.gitignore
index 845a1a0d6..e205e6fad 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,17 @@
 
 # no slash at the end to handle also symlinks
 /toolkit
-/conf
 /env-*
 
 # composer reserver directory, from sources, populate/update using "composer install"
 vendor/*
 test/vendor/*
 
+# all conf but listing prevention
+/conf/**
+!/conf/.htaccess
+!/conf/web.config
+
 # all datas but listing prevention
 /data/**
 !/data/.htaccess
diff --git a/conf/.htaccess b/conf/.htaccess
new file mode 100644
index 000000000..782472c78
--- /dev/null
+++ b/conf/.htaccess
@@ -0,0 +1,13 @@
+# Apache 2.4
+<ifModule mod_authz_core.c>
+Require all denied
+</ifModule>
+
+# Apache 2.2
+<ifModule !mod_authz_core.c>
+deny from all
+Satisfy All
+</ifModule>
+
+# Apache 2.2 and 2.4
+IndexIgnore *
diff --git a/conf/web.config b/conf/web.config
new file mode 100644
index 000000000..58c9c3ac3
--- /dev/null
+++ b/conf/web.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <system.webServer>
+    <security>
+      <requestFiltering>
+         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
+      </requestFiltering>
+      <authorization>
+        <deny users="*" /> <!-- Denies all users -->
+      </authorization>
+    </security>
+  </system.webServer>
+</configuration>
\ No newline at end of file
diff --git a/data/web.config b/data/web.config
index 599a5f260..58c9c3ac3 100644
--- a/data/web.config
+++ b/data/web.config
@@ -1,8 +1,13 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
-  <system.web>
-          <authorization>
-                  <deny users="*" /> <!-- Denies all users -->
-          </authorization>
-  </system.web>
+  <system.webServer>
+    <security>
+      <requestFiltering>
+         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
+      </requestFiltering>
+      <authorization>
+        <deny users="*" /> <!-- Denies all users -->
+      </authorization>
+    </security>
+  </system.webServer>
 </configuration>
\ No newline at end of file
diff --git a/log/web.config b/log/web.config
index 599a5f260..58c9c3ac3 100644
--- a/log/web.config
+++ b/log/web.config
@@ -1,8 +1,13 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <configuration>
-  <system.web>
-          <authorization>
-                  <deny users="*" /> <!-- Denies all users -->
-          </authorization>
-  </system.web>
+  <system.webServer>
+    <security>
+      <requestFiltering>
+         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
+      </requestFiltering>
+      <authorization>
+        <deny users="*" /> <!-- Denies all users -->
+      </authorization>
+    </security>
+  </system.webServer>
 </configuration>
\ No newline at end of file