User tests: Successful: Unsuccessful:
Pull Request resolves # .
This pull request improves the default .htaccess security by restricting direct access to files in the images, media, and files directories.
Previously, the default htaccess.txt did not prevent direct access to uploaded executable files. While you should not be able to upload executable files to these folders a poorly configured extension may allow it, leaving sites potentially vulnerable if an attacker is able to upload a malicious script.
The new rules adopt a whitelist approach:
images, media, and files directories are denied with a 403 Forbidden response.Compared to a blacklist of executable extensions, a whitelist provides stronger protection by denying unknown or unexpected file types by default.
The accompanying post-installation message has also been updated to explain the change and provide the rules that should be manually added to existing .htaccess files, as these files cannot be updated automatically.
The post installation message will be shown to upgrading users
Download the pre-built installation package from this PR and install
On installation there is NO post-installation message about the new htaccess
the new htaccess.txt is available in the root of the web site
On an installation of J6.1 upgrade it to J6.2 using the upgrade package from this PR
On upgrade there is a NEW post-installation message about the new htaccess
the new htaccess.txt is available in the root of the web site
If accepted I will update https://guide.joomla.org/user-manual/configuration/configuration-the-htaccess-file
Please select:
Documentation link for guide.joomla.org:
No documentation changes for guide.joomla.org needed
Pull Request link for manual.joomla.org:
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
| Category | ⇒ | Administration com_admin SQL Postgresql Language & Strings |
| Labels |
Added:
Language Change
PR-6.2-dev
|
||
| Title |
|
||||||
I agree with this addition (did the same for my own extension images folder).
Just a question? Can't we just force it with files added to the root of images, files and media?
Maybe adding as well the web.config version.
I agree with this addition (did the same for my own extension images folder).
Just a question? Can't we just force it with files added to the root of images, files and media?
Maybe adding as well the web.config version.
No you can't do that, at least not on an update
Great idea, thanks
Might it be worth including the tmp folder as well? Obviously, it needs to be possible to write PHP files into it, but they don’t need to be executable ‘from outside’. If I remember correctly, the JCE exploit created an x.php file inside tmp, which was then executed.
Re: web.config as I can't test that I won't be able to submit an update for that. As the web.config already has weaker settings than htaccess I would suggest that is considered in its own pr as there would be bigger changes needed there
Re: web.config as I can't test that I won't be able to submit an update for that. As the web.config already has weaker settings than htaccess I would suggest that is considered in its own pr as there would be bigger changes needed there
I was about to update my comment, as more easy for testing as well to be separated, but you were faster! ;-)
I've tested the htaccess rule and it works as expected. Not marking this as successfull test, because I didn't test the postinstall message