Security: Prevent access to web.config on Apache servers (also documented in the installation guide for nginx) - refs BT#22085

ywarnier · ywarnier · commit 1d9166524419 · 2024-10-08T17:03:03.000+02:00
diff --git a/.htaccess b/.htaccess
@@ -124,3 +124,7 @@ RedirectMatch 403 ^/main/inc/lib/javascript/bigupload/files
 <IfModule mod_headers.c>
   Header always set X-Content-Type-Options nosniff
 </IfModule>
+
+<Files "web.config">
+    Require all denied
+</Files>
diff --git a/documentation/installation_guide.html b/documentation/installation_guide.html
@@ -757,11 +757,22 @@ <h3>Apache RewriteRules</h3>
     RewriteRule ^(tests|.git) - [F,L,NC]
   &lt;/Directory&gt;
 
-    AddType application/font-woff .woff .woff2
-    &lt;IfModule mod_expires.c&gt;
-      ExpiresActive On
-      ExpiresByType application/font-woff "access plus 1 month"
-    &lt;/IfModule&gt;
+  AddType application/font-woff .woff .woff2
+  &lt;IfModule mod_expires.c&gt;
+    ExpiresActive On
+    ExpiresByType application/font-woff "access plus 1 month"
+  &lt;/IfModule&gt;
+  # Disallow direct access to /main/inc/lib/javascript/bigupload/files
+  RedirectMatch 403 ^/main/inc/lib/javascript/bigupload/files
+
+  # Disallow MIME sniffing to prevent XSS from unknown/incorrect file extensions
+  <IfModule mod_headers.c>
+    Header always set X-Content-Type-Options nosniff
+  </IfModule>
+
+  <Files "web.config">
+    Require all denied
+  </Files>
     </pre>
 
     <h4>Special note on sharing questions between courses</h4>
@@ -856,6 +867,10 @@ <h3>Nginx</h3>
   }
   location ^~ /tests/ {
     deny all;
+  }
+  location ~* /web.config$ {
+    deny all;
+    return 403;
   }
     </pre>
 
