From 5bc62a64386ec2c9980db440e9c1fa3111b0dc08 Mon Sep 17 00:00:00 2001
From: Dale Sikkema <dsikkema@ebay.com>
Date: Thu, 16 Jul 2015 18:27:36 -0500
Subject: [PATCH] MAGETWO-40265: sensitive resources are web-accessible
---
.gitignore | 1 +
.htaccess | 80 ++++++++++++++++++++++++++---
pub/errors/.htaccess | 6 +--
setup/config/.htaccess | 2 +
setup/performance-toolkit/.htaccess | 2 +
setup/src/.htaccess | 2 +
setup/view/.htaccess | 2 +
vendor/.htaccess | 2 +
8 files changed, 88 insertions(+), 9 deletions(-)
create mode 100644 setup/config/.htaccess
create mode 100644 setup/performance-toolkit/.htaccess
create mode 100644 setup/src/.htaccess
create mode 100644 setup/view/.htaccess
create mode 100644 vendor/.htaccess
diff --git a/.gitignore b/.gitignore
index 61d970a274b..1dc24183ad3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -47,3 +47,4 @@ atlassian*
/var/*
!/var/.htaccess
/vendor
+!/vendor/.htaccess
diff --git a/.htaccess b/.htaccess
index 9f630df0ae6..6f4a72079b4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -170,13 +170,81 @@
</IfModule>
###########################################
-## Deny access to release notes to prevent disclosure of the installed Magento version
-
- <Files RELEASE_NOTES.txt>
- Order allow,deny
- Deny from all
+## Deny access to root files to hide sensitive application information
+ <Files composer.json>
+ order allow,deny
+ deny from all
</Files>
-############################################
+ <Files composer.lock>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .gitignore>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .htaccess>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .htaccess.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .php_cs>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .travis.yml>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CHANGELOG.md>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CONTRIBUTING.md>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CONTRIBUTOR_LICENSE_AGREEMENT.html>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files COPYING.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files Gruntfile.js>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files LICENSE.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files LICENSE_AFL.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files nginx.conf.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files package.json>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files php.ini.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files README.md>
+ order allow,deny
+ deny from all
+ </Files>
+
+################################
## If running in cluster environment, uncomment this
## http://developer.yahoo.com/performance/rules.html#etags
diff --git a/pub/errors/.htaccess b/pub/errors/.htaccess
index 5a3f0a15d12..8b6b8e6fff0 100755
--- a/pub/errors/.htaccess
+++ b/pub/errors/.htaccess
@@ -2,6 +2,6 @@ Options None
<IfModule mod_rewrite.c>
RewriteEngine Off
</IfModule>
-<FilesMatch "\.(xml|phtml)$">
- Deny from all
-</FilesMatch>
\ No newline at end of file
+
+order allow,deny
+deny from all
diff --git a/setup/config/.htaccess b/setup/config/.htaccess
new file mode 100644
index 00000000000..281d5c33db3
--- /dev/null
+++ b/setup/config/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/setup/performance-toolkit/.htaccess b/setup/performance-toolkit/.htaccess
new file mode 100644
index 00000000000..281d5c33db3
--- /dev/null
+++ b/setup/performance-toolkit/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/setup/src/.htaccess b/setup/src/.htaccess
new file mode 100644
index 00000000000..281d5c33db3
--- /dev/null
+++ b/setup/src/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/setup/view/.htaccess b/setup/view/.htaccess
new file mode 100644
index 00000000000..281d5c33db3
--- /dev/null
+++ b/setup/view/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/vendor/.htaccess b/vendor/.htaccess
new file mode 100644
index 00000000000..cb24fd7fc0b
--- /dev/null
+++ b/vendor/.htaccess
@@ -0,0 +1,2 @@
+Order allow,deny
+Deny from all
--
GitLab