[TASK] Improve strictness of resource access blocking in _.htaccess

For Apache HTTP versions 2.3+ there is a better way to avoid conflicts in priority of sections. Since the `if` condition has been introduced it is ranked the highest priority, hence it is most suitable for rules to protect sensitive data. Resolves: #81849 Releases: master, 8.7 Change-Id: I3f6edf1e3af55dc3ce901080045c8d353eb89ef9 Reviewed-on: https://review.typo3.org/55937 Tested-by: TYPO3com <no-reply@typo3.com> Reviewed-by: Frank Naegler <frank.naegler@typo3.org> Tested-by: Frank Naegler <frank.naegler@typo3.org> Reviewed-by: Nicole Cordes <typo3@cordes.co> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

[TASK] Improve strictness of resource access blocking in _.htaccess
For Apache HTTP versions 2.3+ there is a better way to avoid conflicts in priority of sections. Since the `if` condition has been introduced it is ranked the highest priority, hence it is most suitable for rules to protect sensitive data. Resolves: #81849 Releases: master, 8.7 Change-Id: I3f6edf1e3af55dc3ce901080045c8d353eb89ef9 Reviewed-on: https://review.typo3.org/55937 Tested-by: TYPO3com <no-reply@typo3.com> Reviewed-by: Frank Naegler <frank.naegler@typo3.org> Tested-by: Frank Naegler <frank.naegler@typo3.org> Reviewed-by: Nicole Cordes <typo3@cordes.co> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
05fd022f · Markus Klein · Christian Kuhn · a15ddcf5 · 05fd022f
Commit 05fd022f authored 7 years ago by Markus Klein Committed by Christian Kuhn 7 years ago
--- a/_.htaccess
+++ b/_.htaccess
@@ -310,19 +310,20 @@ AddDefaultCharset utf-8
 </IfModule>

 # Access block for files
-<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
-	# Apache < 2.3
-	<IfModule !mod_authz_core.c>
-		Order allow,deny
-		Deny from all
-		Satisfy All
-	</IfModule>
-
-	# Apache ≥ 2.3
-	<IfModule mod_authz_core.c>
-		Require all denied
-	</IfModule>
-</FilesMatch>
+# Apache < 2.3
+<IfModule !mod_authz_core.c>
+    <FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
+        Order allow,deny
+        Deny from all
+        Satisfy All
+    </FilesMatch>
+</IfModule>
+# Apache ≥ 2.3
+<IfModule mod_authz_core.c>
+    <If "%{REQUEST_URI} =~ m#(?i:/\.|/\x23.*\x23|/(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|/composer\.(?:json|lock)|/ext_conf_template\.txt|/ext_typoscript_constants\.txt|/ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$#">
+        Require all denied
+    </If>
+</IfModule>

 # Block access to vcs directories
 <IfModule mod_alias.c>