Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

In .htaccess deny files, use "Satisfy All"

Browse source 
These .htaccess files are intended to prohibit all web access. But if
the user sets "Satisfy Any" on a parent directory, in conjunction with
any permissive require directive like "Require all granted", access will
be allowed despite "Require all denied" in .htaccess.

So, override Satisfy so that the "Require all denied" will reliably take
effect.

Note that "Satisfy All" is the default. This only affects non-default
installations.

Change-Id: Ia5862fb69e439b7ea2ed7af011e1ebf8f1b1f6d6
(cherry picked from commit a50d2e69f8ce9e5720b05615d04c35cc9008b6ae)
This commit is contained in:
Tim Starling 2025-04-04 17:08:47 +11:00 committed by Reedy
parent b3410d433c
commit 66c2681f7c
10 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
cache/.htaccess vendored
View file

@ -1 +1,2 @@
Require all denied
Satisfy All

1
includes/.htaccess
View file

@ -1 +1,2 @@
Require all denied
Satisfy All

4
includes/composer/ComposerVendorHtaccessCreator.php
View file

@ -40,6 +40,8 @@ class ComposerVendorHtaccessCreator {
return;
}
file_put_contents( $fname, "Require all denied\n" );
file_put_contents( $fname,
"Require all denied\n" .
"Satisfy All\n" );
}
}

4
includes/installer/SqliteInstaller.php
View file

@ -157,7 +157,9 @@ class SqliteInstaller extends DatabaseInstaller {
}
}
# Put a .htaccess file in case the user didn't take our advice
file_put_contents( "$dir/.htaccess", "Require all denied\n" );
file_put_contents( "$dir/.htaccess",
"Require all denied\n" .
"Satisfy All\n" );
return Status::newGood();
}

3
includes/libs/filebackend/FSFileBackend.php
View file

@ -987,7 +987,8 @@ class FSFileBackend extends FileBackendStore {
* @return string
*/
protected function htaccessPrivate() {
return "Require all denied\n";
return "Require all denied\n" .
"Satisfy All\n";
}
/**

1
languages/.htaccess
View file

@ -1 +1,2 @@
Require all denied
Satisfy All

1
maintenance/.htaccess
View file

@ -1 +1,2 @@
Require all denied
Satisfy All

1
maintenance/archives/.htaccess
View file

@ -1 +1,2 @@
Require all denied
Satisfy All

1
tests/.htaccess
View file

@ -1 +1,2 @@
Require all denied
Satisfy All

2
tests/phpunit/unit/includes/installer/SqliteInstallerTest.php
View file

@ -61,7 +61,7 @@ class SqliteInstallerTest extends MediaWikiUnitTestCase {
$dir = sys_get_temp_dir() . '/' . uniqid( 'MediaWikiTest' );
$status = $method->invoke( null, $dir );
$this->assertStatusGood( $status );
$this->assertSame( "Require all denied\n", file_get_contents( "$dir/.htaccess" ) );
$this->assertSame( "Require all denied\nSatisfy All\n", file_get_contents( "$dir/.htaccess" ) );
unlink( "$dir/.htaccess" );
rmdir( $dir );
}