/app/webroot/discussions/ has several subdirectories with .htaccess files like this one: <Limit GET POST PUT> Order Allow,Deny Deny from All </Limit> Why are only GET, POST and PUT denied? Am I still allowed to access the directory using the HEAD method? From http://httpd.apache.org/docs/2.0/mod/core.html#limit: "In the general case, access control directives should not be placed within a <Limit> section." Note that I still got 403 Forbidden when trying to access some file using the HEAD method but I guess it was the cache server translating HEAD into GET.
Severity: major → normal
Pushing out all these discussions bugs to 3.4.6
Target Milestone: 3.4.5 → 3.4.6
Created attachment 329102 [details] [diff] [review] Revised .htaccess files denying access to *.php rather than by method Revised the .htaccess files and added one for themes/ (for bug 374045) which deny access to *.php rather than deny by method, since that seems to have been the original purpose for the out-of-box Vanilla versions.
Comment on attachment 329102 [details] [diff] [review] Revised .htaccess files denying access to *.php rather than by method In the conf dir, there's a readme which will be exposed by these. Also, what if somebody adds a .inc etc file? Would it be better to just have an unrestricted <Limit> ?
I think just dropping the <Limit> tag will be better - why should it be possible to access these directories from the web?
Created attachment 330273 [details] [diff] [review] Revised .htaccess files denying all access, except for theme directories with CSS / images Okay, new patch. Dropping all limit tags to deny all web access to the Vanilla lib directories, adding another couple of .htaccess files to re-allow access to CSS and images per bug 374045
When you introduce a rule for /themes, won't that apply to all subdirectories as well? I think so, so there's no reason to repeat the same ones in subdirectories again. Also, if you're solving bug 374045 in here, will you dupe it to this?
The rule for /themes is to deny all, which is overridden to allow all in the individual theme directories with CSS and image files. Is that what you're seeing...? If so, it's not a repeat. I'll also dupe bug 374045 to this one - this one is more inclusive.
Comment on attachment 330273 [details] [diff] [review] Revised .htaccess files denying all access, except for theme directories with CSS / images See, had I read the patch right, I'd have noticed that. ;) Sorry. Yes, this makes so much more sense than what I imagined before.
Attachment #330273 - Flags: review- → review+
Fixed in r17169
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.