You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2018/10/30 08:24:11 UTC

[Bug 62867] New: Prevent access to the dot prefixed files by default

https://bz.apache.org/bugzilla/show_bug.cgi?id=62867

            Bug ID: 62867
           Summary: Prevent access to the dot prefixed files by default
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Runtime Config
          Assignee: bugs@httpd.apache.org
          Reporter: vladimir.smitka@lynt.cz
  Target Milestone: ---

There is configuration block to prevent access to .ht prefixed files in the
default config:

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ".ht*">
    Require all denied
</Files> 

I think it would be wise to extend it to all dot prefixed (hidden) files and
dirs except .well-known.

<Directory ~ "/\.(?!well-known\/)">
    Require all denied
</Directory>

I found hundreds of thousands sites with exposed .git directory because of it
(https://lynt.cz/blog/global-scan-exposed-git, https://smitka.me/open-git).

It isn't only about .git, other VCS have the same problem and it is known long
time (https://news.ycombinator.com/item?id=838981). Another examples are
.DS_Store or temp files created by text editors like vim.

I understand that the webserver shouldn't interfere with the application too
much, but I belive it would be nice step to the slightly better security.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org