Project

General

Profile

Todo #8005

Block direct download of .inc files

Added by Jim Pingle almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Web Interface
Target version:
Start date:
10/24/2017
Due date:
% Done:

100%

Estimated time:

Description

If a user tries to directly access a file ending in .inc, the browser will offer to download the file. There are no .inc files containing secrets (it's all on github), so this is primarily a safety belt.

Seems easy to block without harming anything by adding a section like this above the php location directive in the nginx config:

        location ~ \.inc$ {
            deny all;
            return 403;
        }

I don't see any other file types under /usr/local/www/ that should be blocked, everything else appears to be web assets as expected.

Associated revisions

Revision b1fccd42 (diff)
Added by Jim Pingle almost 2 years ago

Do not allow direct download of .inc files (unparsed PHP source). Fixes #8005

Revision 71c70114 (diff)
Added by Jim Pingle almost 2 years ago

Do not allow direct download of .inc files (unparsed PHP source). Fixes #8005

(cherry picked from commit b1fccd42547201f4dbfe941bcc59c8eac3456364)

Revision 82405c15 (diff)
Added by Jim Pingle almost 2 years ago

Do not allow direct download of .inc files (unparsed PHP source). Fixes #8005

(cherry picked from commit b1fccd42547201f4dbfe941bcc59c8eac3456364)
(cherry picked from commit 71c70114aa10e594253b9bf85df155774199e2bc)

Revision 51e4121f (diff)
Added by Jim Pingle almost 2 years ago

Do not allow direct download of .inc files (unparsed PHP source). Fixes #8005

(cherry picked from commit b1fccd42547201f4dbfe941bcc59c8eac3456364)
(cherry picked from commit 71c70114aa10e594253b9bf85df155774199e2bc)
(cherry picked from commit 82405c15fabd5759f05ecdfab92942c63a07ae16)

History

#1 Updated by Jim Pingle almost 2 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100

#2 Updated by Constantine Kormashev almost 2 years ago

Could not download one

ls -al /usr/local/www/guiconfig.inc
-rw-r--r--  1 root  wheel  35194 Sep 28 15:07 /usr/local/www/guiconfig.inc

curl http://10.0.0.128/guiconfig.inc
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>

#3 Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF