Actions
Todo #8005
closedBlock direct download of .inc files
Start date:
10/24/2017
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Description
If a user tries to directly access a file ending in .inc, the browser will offer to download the file. There are no .inc files containing secrets (it's all on github), so this is primarily a safety belt.
Seems easy to block without harming anything by adding a section like this above the php location directive in the nginx config:
location ~ \.inc$ { deny all; return 403; }
I don't see any other file types under /usr/local/www/ that should be blocked, everything else appears to be web assets as expected.
Updated by Jim Pingle almost 7 years ago
- Status changed from Assigned to Feedback
- % Done changed from 0 to 100
Applied in changeset b1fccd42547201f4dbfe941bcc59c8eac3456364.
Updated by Constantine Kormashev almost 7 years ago
Could not download one
ls -al /usr/local/www/guiconfig.inc -rw-r--r-- 1 root wheel 35194 Sep 28 15:07 /usr/local/www/guiconfig.inc curl http://10.0.0.128/guiconfig.inc <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx</center> </body> </html>
Updated by Jim Pingle almost 7 years ago
- Status changed from Feedback to Resolved
Actions