Language Change PR-6.2-dev Pending

User tests: Successful: Unsuccessful:

avatar brianteeman
brianteeman
10 Jul 2026

Pull Request resolves # .

  • I read the Generative AI policy and my contribution is either not created with the help of AI or is compatible with the policy and GNU/GPL 2 or later.

Summary of Changes

This pull request improves the default .htaccess security by restricting direct access to files in the images, media, and files directories.

Previously, the default htaccess.txt did not prevent direct access to uploaded executable files. While you should not be able to upload executable files to these folders a poorly configured extension may allow it, leaving sites potentially vulnerable if an attacker is able to upload a malicious script.

The new rules adopt a whitelist approach:

  • Requests for a defined set of safe file types (images, documents, media files, archives and web assets) are permitted.
  • Requests for any other file type within the images, media, and files directories are denied with a 403 Forbidden response.

Compared to a blacklist of executable extensions, a whitelist provides stronger protection by denying unknown or unexpected file types by default.

The accompanying post-installation message has also been updated to explain the change and provide the rules that should be manually added to existing .htaccess files, as these files cannot be updated automatically.

The post installation message will be shown to upgrading users

Testing Instructions

Clean install of j62

Download the pre-built installation package from this PR and install
On installation there is NO post-installation message about the new htaccess
the new htaccess.txt is available in the root of the web site

Upgrade from 6.1 to 62

On an installation of J6.1 upgrade it to J6.2 using the upgrade package from this PR
On upgrade there is a NEW post-installation message about the new htaccess
the new htaccess.txt is available in the root of the web site

image

If accepted I will update https://guide.joomla.org/user-manual/configuration/configuration-the-htaccess-file

Link to documentations

Please select:

  • Documentation link for guide.joomla.org:

  • No documentation changes for guide.joomla.org needed

  • Pull Request link for manual.joomla.org:

  • No documentation changes for manual.joomla.org needed

avatar brianteeman brianteeman - open - 10 Jul 2026
avatar brianteeman brianteeman - change - 10 Jul 2026
Status New Pending
avatar joomla-cms-bot joomla-cms-bot - change - 10 Jul 2026
Category Administration com_admin SQL Postgresql Language & Strings
avatar brianteeman brianteeman - change - 10 Jul 2026
Labels Added: Language Change PR-6.2-dev
avatar brianteeman brianteeman - change - 10 Jul 2026
The description was changed
avatar brianteeman brianteeman - edited - 10 Jul 2026
avatar brianteeman brianteeman - change - 10 Jul 2026
Title
[6.2] Htaccess hardeing to whitelist allowed files in
[6.2] Htaccess hardening to whitelist allowed files
avatar brianteeman brianteeman - edited - 10 Jul 2026
avatar brianteeman brianteeman - change - 10 Jul 2026
The description was changed
avatar brianteeman brianteeman - edited - 10 Jul 2026
avatar brianteeman brianteeman - change - 11 Jul 2026
The description was changed
avatar brianteeman brianteeman - edited - 11 Jul 2026
avatar Hackwar
Hackwar - comment - 11 Jul 2026

I've tested the htaccess rule and it works as expected. Not marking this as successfull test, because I didn't test the postinstall message

avatar cyrez
cyrez - comment - 11 Jul 2026

I agree with this addition (did the same for my own extension images folder).

Just a question? Can't we just force it with files added to the root of images, files and media?
Maybe adding as well the web.config version.

avatar cyrez
cyrez - comment - 11 Jul 2026

I agree with this addition (did the same for my own extension images folder).

Just a question? Can't we just force it with files added to the root of images, files and media?
Maybe adding as well the web.config version.

avatar brianteeman
brianteeman - comment - 11 Jul 2026

No you can't do that, at least not on an update

avatar PixedBo
PixedBo - comment - 11 Jul 2026

Great idea, thanks
Might it be worth including the tmp folder as well? Obviously, it needs to be possible to write PHP files into it, but they don’t need to be executable ‘from outside’. If I remember correctly, the JCE exploit created an x.php file inside tmp, which was then executed.

avatar brianteeman
brianteeman - comment - 11 Jul 2026

Re: web.config as I can't test that I won't be able to submit an update for that. As the web.config already has weaker settings than htaccess I would suggest that is considered in its own pr as there would be bigger changes needed there

avatar cyrez
cyrez - comment - 11 Jul 2026

Re: web.config as I can't test that I won't be able to submit an update for that. As the web.config already has weaker settings than htaccess I would suggest that is considered in its own pr as there would be bigger changes needed there

I was about to update my comment, as more easy for testing as well to be separated, but you were faster! ;-)

Add a Comment

Login with GitHub to post a comment