Project

General

Profile

Actions

Todo #8005

closed

Block direct download of .inc files

Added by Jim Pingle almost 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Web Interface
Target version:
Start date:
10/24/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

If a user tries to directly access a file ending in .inc, the browser will offer to download the file. There are no .inc files containing secrets (it's all on github), so this is primarily a safety belt.

Seems easy to block without harming anything by adding a section like this above the php location directive in the nginx config:

        location ~ \.inc$ {
            deny all;
            return 403;
        }

I don't see any other file types under /usr/local/www/ that should be blocked, everything else appears to be web assets as expected.

Actions #1

Updated by Jim Pingle almost 7 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Constantine Kormashev almost 7 years ago

Could not download one

ls -al /usr/local/www/guiconfig.inc
-rw-r--r--  1 root  wheel  35194 Sep 28 15:07 /usr/local/www/guiconfig.inc

curl http://10.0.0.128/guiconfig.inc
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
Actions #3

Updated by Jim Pingle almost 7 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF