Deny / hide access to files that begin with DOT, such as.git,.svn,.DS Store,.yml

Question

Deny / hide access to files that begin with DOT, such as.git,.svn,.DS Store,.yml

By default Apache denies access to files whose name begins with .ht, such as .htaccess:

<Files ~ "^\.ht">
    Require all denied
</Files>

But I notice that many files use the prefix ., like .gitignore. I believe that this file does not do any harm, I still think that the use of the dot in the prefix is "strongly" directed to configuration files. I think it might be interesting to deny access to these files in general by doing something like:

RewriteEngine On

# Checa se o arquivo existe
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME} -f

# Emite status HTTP 403
RewriteRule ^(\.|/\.) - [F,L]

In IIS maybe it's something like:

<rule name="Redirect to routes" stopProcessing="true">
    <conditions>
        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
    </conditions>
    <match url="^(\.|/\.)" ignoreCase="false" />
    <action type="AbortRequest" />
</rule>

Add the file check because if the file does not exist it should issue 404 and not 403.

Would this be a "good use" , or maybe . as a prefix has other uses besides configuration files?

If this is the case then I would swap it for a "group" of file types:

(^|/)\.(git|gitignore|yml|svn)$

9

apache iis segurança htaccess web.config

Author: viana, 2017-05-03

Source

2 answers

score 4 · Answer 1

For the file server case, it is more reliable to block direct access to files/directories that begin with the prefix ., because it usually contains configuration information that can be confidential, it is better to block by default and release by whitelist. I found this article that deals broadly with your doubts. Excerpt from this article:

Disabling hidden files both on the request side and the file serving side should protect you from leaking hidden files, barring other application security holes.

In free translation:

Disabling hidden files, both on the request side and on the file service side, should protect you from leaking hidden files by blocking other security holes in the application.

Of course, this depends a lot on how your project is organized and your deploy; if you do a deploy zip extraction, and in zip ensure that you will not have the files with sensitive information (for example, using a make package.zip that will compress all your scripts into a zip).

For links that suffix . but do not redirect to files (like you commented yourself), there are no restrictions. For example, the Wikimedia is all written in PHP, often with deploy to run on Apache Server and intercepts the URL and interprets what needs to be sent, not serving the file directly (with file exception uploaded ).

score 0 · Answer 2

This is the solution I have been using otherwise all files with extension would be directed to the right of . And so all files starting with .giti are directed elsewhere.

<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
ErrorDocument 404 /pt/404.php
RewriteEngine on
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*) https://www.exemplo.com/$1 [R=301,L]
DirectoryIndex index.php       
Redirect permanent /^(.giti*) /index.php
order deny,allow