[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 62867] New: Prevent access to the dot prefixed files by default


            Bug ID: 62867
           Summary: Prevent access to the dot prefixed files by default
           Product: Apache httpd-2
           Version: 2.4.37
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Runtime Config
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: vladimir.smitka@xxxxxxx
  Target Milestone: ---

There is configuration block to prevent access to .ht prefixed files in the
default config:

# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
<Files ".ht*">
    Require all denied

I think it would be wise to extend it to all dot prefixed (hidden) files and
dirs except .well-known.

<Directory ~ "/\.(?!well-known\/)">
    Require all denied

I found hundreds of thousands sites with exposed .git directory because of it
(https://lynt.cz/blog/global-scan-exposed-git, https://smitka.me/open-git).

It isn't only about .git, other VCS have the same problem and it is known long
time (https://news.ycombinator.com/item?id=838981). Another examples are
.DS_Store or temp files created by text editors like vim.

I understand that the webserver shouldn't interfere with the application too
much, but I belive it would be nice step to the slightly better security.

You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx