[TYPO3-dev] Info disclosure from extension folders

christian reiter cr at cxd.de
Thu Oct 26 09:35:55 CEST 2006 

Hello,

I have tried something like this

 <DirectoryMatch ".*\/typo3.*ext\/.*">
  <FilesMatch "(?i)(changelog|\.txt|\.sql|\.dat|\.tm?pl|\.inc|\.sh)$">
      Order allow,deny
      Deny from all
      Satisfy All
  </FilesMatch>
 </DirectoryMatch>

It will apply to typo3conf/ext, typo3/ext/ and typo3/sysext but not anywhere
else.

I put this into the central apache conf so it applies to all virtual hosts.

I have separate filesmatch directives for SVN and CVS (and WEB-INF
/META-INF) because this needs to be protected for ALL projects; there may be
other projects of course where a "txt" file is harmless, but in the case of
typo3 extensions it is usually a documentation that other people do not need
to see over the web.

To test this just make a folder typo3conf/ext/test and touch files in it
called something like

test.txt        ChangeLog      test.dat      test.css       test.html
test.php       test.tpl
CHANGELOG      changelog.txt  test.sql     test.gif       test.inc
test.tmpl       test.sh

You should be able to get the test.css, test.gif, test.php and test.html but
all the rest should be 403.

Real Apache wizards can probably craft a more concise version. Don´t use
this for production unchecked right away (as always)

Take note of the case insensitive modifier (?i) in the expression, this is
not available everywhere:

"Apache 1.3 uses HSRegex or your system egrep-compatible regex library.
 These are much less capable than PCRE and they do not support the ?i
flag.  So you are out of luck unless you want to upgrade."

http://mail-archives.apache.org/mod_mbox/httpd-users/200603.mbox/%3ce498c1660603291208s7c760082h7d6e094497f7a8ed@mail.gmail.com%3e

Greetings,

Christian Reiter

"Steffen Kamper" <steffen at dislabs.de> schrieb im Newsbeitrag
news:mailman.1.1161819877.18826.typo3-dev at lists.netfielders.de...
>
> "Christian Reiter" <cr at cxd.de> schrieb im Newsbeitrag
> news:mailman.1.1161810773.23662.typo3-dev at lists.netfielders.de...
> > Yes, this kind of filesmatch statement is exactly what I meant. It only
> > needs one entry in the httpd.conf. The Drupal example also covers CVS
> > files,
> > which is a good idea as they may contain interesting information
> > especially
> > in CVS/Root
> > The same is true of .svn foolders.
> > On newer versions of Apache you can use modifiers in the Filesmatch
regex
> > which helps with the many different spellings for "ChangeLog"
> > "changelog.txt" etc.
> > Moving the files around is not necessary.
> >
> > Greetings,
> >
> > Christian Reiter
> >
>
> Hi,
> thx for that hint - it shows, that only a few commands can solve this
> Problem. It would be nice to engeneer a FilesMatch-Statement for Typo3 and
> publish.
>

More information about the TYPO3-dev mailing list