Todo #8005: Block direct download of .inc files - pfSense - pfSense bugtracker

Actions

Copy link

Todo #8005

closed

Block direct download of .inc files

Added by Jim Pingle about 7 years ago. Updated about 7 years ago.

Status:

Resolved

Priority:

Low

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.4.2

Start date:

10/24/2017

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

If a user tries to directly access a file ending in .inc, the browser will offer to download the file. There are no .inc files containing secrets (it's all on github), so this is primarily a safety belt.

Seems easy to block without harming anything by adding a section like this above the php location directive in the nginx config:

        location ~ \.inc$ {
            deny all;
            return 403;
        }

I don't see any other file types under /usr/local/www/ that should be blocked, everything else appears to be web assets as expected.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Todo #8005

Block direct download of .inc files

Updated by Jim Pingle about 7 years ago

Updated by Constantine Kormashev about 7 years ago

Updated by Jim Pingle about 7 years ago