[PHPBB-16890] Edit the config sample files and web.config to deny access to the "config" directory

XML

Word

Printable

Details

Type: Task
Status: Unverified Fix (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 3.3.5
Fix Version/s: 3.3.13-RC1
Component/s: Documentation
Labels:
None

GitHub Pull Request URL:
https://github.com/phpbb/phpbb/pull/6676

Description

Like cache, files, images\avatars\upload, includes and store, the directory named « config » has a .htaccess file for Apache web server in the aim of denying access.

However, config sample files for other web server (docs/lighttpd.sample.conf and docs/nginx.sample.conf) do not reflect that restriction. Only "config" PHP file is denied, not the directory. Same applies to the web.config for IIS. The config directory restriction should be added for IIS/lighttpd/nginx files.

- - - - - - -

For nginx.sample.conf, the line...

location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

...could be replaced by that one:

location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor) {

The presence of config in the location denies both config directory and config.php for nginx

Attachments

Activity

People

Assignee:: Marc

Reporter:: Big Monstro

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 16/Oct/21 10:41 AM

Updated:: 10/Jul/24 8:19 PM

Resolved:: 10/Jul/24 8:19 PM