[WIP] Web Server Config URL Rewrite Rules White List (getgrav#1458)

ScottHamper · rhukster · commit fc5c3023c6ba · 2017-05-06T11:09:31.000-06:00
* Escaped literal periods in web server config files rewrite rules.

* Black listed "yml" file extension in web server configs rewrite rules.
diff --git a/.htaccess b/.htaccess
@@ -54,17 +54,17 @@ RewriteRule .* index.php [L]
 
 ## Begin - Security
 # Block all direct access for these folders
-RewriteRule ^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
 # Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block all direct access to .md files:
 RewriteRule \.md$ error [F]
 # Block all direct access to files and folders beginning with a dot
 RewriteRule (^|/)\.(?!well-known) - [F]
 # Block access to specific files in the root folder
-RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
+RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
 ## End - Security
 
 </IfModule>
diff --git a/webserver-configs/Caddyfile b/webserver-configs/Caddyfile
@@ -5,22 +5,22 @@ fastcgi / 127.0.0.1:9000 php
 # Begin - Security
 # deny all direct access for these folders
 rewrite {
-    r       /(.git|cache|bin|logs|backups|tests)/.*$
+    r       /(\.git|cache|bin|logs|backups|tests)/.*$
     to  	/403
 }
 # deny running scripts inside core system folders
 rewrite {
-    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
     to  	/403
 }
 # deny running scripts inside user folder
 rewrite {
-    r       /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
     to  	/403
 }
 # deny access to specific files in the root folder
 rewrite {
-    r       /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
+    r       /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)
     to  	/403
 }
 
diff --git a/webserver-configs/Caddyfile-0.8.x b/webserver-configs/Caddyfile-0.8.x
@@ -7,22 +7,22 @@ fastcgi / 127.0.0.1:9000 php
 # Begin - Security
 # deny all direct access for these folders
 rewrite {
-    r       /(.git|cache|bin|logs|backups|tests)/.*$
+    r       /(\.git|cache|bin|logs|backups|tests)/.*$
     status  403
 }
 # deny running scripts inside core system folders
 rewrite {
-    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
     status  403
 }
 # deny running scripts inside user folder
 rewrite {
-    r       /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$
+    r       /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
     status  403
 }
 # deny access to specific files in the root folder
 rewrite {
-    r       /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess)
+    r       /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)
     status  403
 }
 ## End - Security
diff --git a/webserver-configs/htaccess.txt b/webserver-configs/htaccess.txt
@@ -54,22 +54,22 @@ RewriteRule .* index.php [L]
 
 ## Begin - Security
 # Block all direct access for these folders
-RewriteRule ^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
+RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
 # Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
 # Block all direct access to .md files:
 RewriteRule \.md$ error [F]
 # Block all direct access to files and folders beginning with a dot
 RewriteRule (^|/)\.(?!well-known) - [F]
 # Block access to specific files in the root folder
-RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
+RewriteRule ^(LICENSE\.txt|composer\.lock|composer\.json|\.htaccess)$ error [F]
 ## End - Security
 
 </IfModule>
 
 # Begin - Prevent Browsing and Set Default Resources
 Options -Indexes
 DirectoryIndex index.php index.html index.htm
-# End - Prevent Browsing and Set Default Resources
+# End - Prevent Browsing and Set Default Resources
diff --git a/webserver-configs/lighttpd.conf b/webserver-configs/lighttpd.conf
@@ -27,13 +27,13 @@ url.rewrite-if-not-file = (
 )
 
 #IMPROVING SECURITY
-$HTTP["url"] =~ "^/grav_path/(LICENSE.txt|composer.json|composer.lock|nginx.conf|web.config)$" {
+$HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.conf|web\.config)$" {
     url.access-deny = ("")
 }
-$HTTP["url"] =~ "^/grav_path/(.git|cache|bin|logs|backup|tests)/(.*)" {
+$HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
     url.access-deny = ("")
 }
-$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" {
+$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" {
     url.access-deny = ("")
 }
 $HTTP["url"] =~ "^/grav_path/(\.(.*))" {
diff --git a/webserver-configs/nginx.conf b/webserver-configs/nginx.conf
@@ -18,13 +18,13 @@ server {
 
     ## Begin - Security
     # deny all direct access for these folders
-    location ~* /(.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
     # deny running scripts inside core system folders
-    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
     # deny running scripts inside user folder
-    location ~* /user/.*\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
     # deny access to specific files in the root folder
-    location ~ /(LICENSE.txt|composer.lock|composer.json|nginx.conf|web.config|htaccess.txt|\.htaccess) { return 403; }
+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
     ## End - Security
 
     ## Begin - PHP
diff --git a/webserver-configs/web.config b/webserver-configs/web.config
@@ -18,19 +18,19 @@
                     <action type="Rewrite" url="index.php" />
                 </rule>
                 <rule name="user_error_redirect" stopProcessing="true">
-                    <match url="^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
                 <rule name="ignore_folders" stopProcessing="true">
-                    <match url="^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
+                    <match url="^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
                 <rule name="system" stopProcessing="true">
-                    <match url="^system/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^system/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
                 <rule name="vendor" stopProcessing="true">
-                    <match url="^vendor/(.*)\.(txt|md|html|yaml|php|twig|sh|bat)$" ignoreCase="false" />
+                    <match url="^vendor/(.*)\.(txt|md|html|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
                     <action type="Redirect" url="error" redirectType="Permanent" />
                 </rule>
             </rules>

Original file line number	Diff line number	Diff line change
`@@ -27,13 +27,13 @@ url.rewrite-if-not-file = (`
`27`	`27`	`)`
`28`	`28`
`29`	`29`	`#IMPROVING SECURITY`
`30`		`-$HTTP["url"] =~ "^/grav_path/(LICENSE.txt\|composer.json\|composer.lock\|nginx.conf\|web.config)$" {`
	`30`	`+$HTTP["url"] =~ "^/grav_path/(LICENSE\.txt\|composer\.json\|composer\.lock\|nginx\.conf\|web\.config)$" {`
`31`	`31`	`url.access-deny = ("")`
`32`	`32`	`}`
`33`		`-$HTTP["url"] =~ "^/grav_path/(.git\|cache\|bin\|logs\|backup\|tests)/(.*)" {`
	`33`	`+$HTTP["url"] =~ "^/grav_path/(\.git\|cache\|bin\|logs\|backup\|tests)/(.*)" {`
`34`	`34`	`url.access-deny = ("")`
`35`	`35`	`}`
`36`		`-$HTTP["url"] =~ "^/grav_path/(system\|user\|vendor)/(.*)\.(txt\|md\|html\|yaml\|php\|twig\|sh\|bat)$" {`
	`36`	`+$HTTP["url"] =~ "^/grav_path/(system\|user\|vendor)/(.*)\.(txt\|md\|html\|yaml\|yml\|php\|twig\|sh\|bat)$" {`
`37`	`37`	`url.access-deny = ("")`
`38`	`38`	`}`
`39`	`39`	`$HTTP["url"] =~ "^/grav_path/(\.(.*))" {`