2498 - restrict access to assets into env-*

- allow static html into extensions/ and datamodels/ - allow direct access to php into env-* for legacy code taht do not use exec.php
2026-02-12 23:14:18 +01:00 · 2019-10-30 15:45:21 +01:00
parent e6167adefd
commit 4834c326aa
5 changed files with 18 additions and 10 deletions
--- a/extensions/.htaccess
+++ b/extensions/.htaccess
@@ -1,7 +1,7 @@
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
-	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html)$">
 	    Require all granted
 	</FilesMatch>
 </ifModule>
@@ -10,7 +10,7 @@ Require all denied
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
-	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	<FilesMatch ".+\.(css|scss|js|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html)$">
 	    Order Allow,Deny
 	    Allow from all
 	</FilesMatch>
--- a/extensions/web.config
+++ b/extensions/web.config
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <configuration>
-  <system.web>
+  <system.webServer>
      <security>
         <requestFiltering>
            <fileExtensions applyToWebDAV="false" allowUnlisted="false" >
@@ -19,8 +19,10 @@
               <add fileExtension=".woff2" allowed="true" />
               <add fileExtension=".ttf" allowed="true" />
               <add fileExtension=".eot" allowed="true" />
+
+               <add fileExtension=".html" allowed="true" />
            </fileExtensions>
         </requestFiltering>
      </security>
-  </system.web>
+  </system.webServer>
 </configuration>