You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/10/30 08:24:11 UTC
[Bug 62867] New: Prevent access to the dot prefixed files by default
https://bz.apache.org/bugzilla/show_bug.cgi?id=62867
Bug ID: 62867
Summary: Prevent access to the dot prefixed files by default
Product: Apache httpd-2
Version: 2.4.37
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Runtime Config
Assignee: bugs@httpd.apache.org
Reporter: vladimir.smitka@lynt.cz
Target Milestone: ---
There is configuration block to prevent access to .ht prefixed files in the
default config:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
I think it would be wise to extend it to all dot prefixed (hidden) files and
dirs except .well-known.
<Directory ~ "/\.(?!well-known\/)">
Require all denied
</Directory>
I found hundreds of thousands sites with exposed .git directory because of it
(https://lynt.cz/blog/global-scan-exposed-git, https://smitka.me/open-git).
It isn't only about .git, other VCS have the same problem and it is known long
time (https://news.ycombinator.com/item?id=838981). Another examples are
.DS_Store or temp files created by text editors like vim.
I understand that the webserver shouldn't interfere with the application too
much, but I belive it would be nice step to the slightly better security.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org