From 5443c1bdd76848d9d638f8a536820b4c75c95ca2 Mon Sep 17 00:00:00 2001
From: Xavier Perseguers <typo3@perseguers.ch>
Date: Thu, 21 Jul 2011 23:18:47 +0200
Subject: [PATCH] [TASK] Add default security settings in .htaccess

Add a new security section within .htaccess to help users secure their
TYPO3 install:

- Restrict access to deleted files in Recycler directories
- Restrict access to TypoScript files in default templates directories
- Restrict access to Private extension directories

Resolves: #28368
Change-Id: I94c09f50616af55cfdd9577097251692b2111ae7
Reviewed-on: http://review.typo3.org/3462
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
---
 _.htaccess | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/_.htaccess b/_.htaccess
index f470fd6e3ed8..899c0d2798f0 100644
--- a/_.htaccess
+++ b/_.htaccess
@@ -89,6 +89,18 @@ RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ $1.$3 [L]
 
+# Basic security checks
+# - Restrict access to deleted files in Recycler directories
+# - Restrict access to TypoScript files in default templates directories
+# - Restrict access to Private extension directories
+# For httpd.conf, use these lines instead of the next ones:
+# RewriteRule ^/TYPO3root/fileadmin/(.*/)?_recycler_/ - [F]
+# RewriteRule ^/TYPO3root/fileadmin/templates/.*(\.txt|\.ts)$ - [F]
+# RewriteRule ^/TYPO3root/typo3conf/ext/[^/]+/Resources/Private/ - [F]
+RewriteRule ^fileadmin/(.*/)?_recycler_/ - [F]
+RewriteRule ^fileadmin/templates/.*(\.txt|\.ts)$ - [F]
+RewriteRule ^typo3conf/ext/[^/]+/Resources/Private/ - [F]
+
 # Stop rewrite processing, if we are in the typo3/ directory.
 # For httpd.conf, use this line instead of the next one:
 # RewriteRule ^/TYPO3root/(typo3/|t3lib/|fileadmin/|typo3conf/|typo3temp/|uploads/|favicon\.ico) - [L]
-- 
GitLab