This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser.
Specifically "xlst", "modules" and "includes" dirs and its contents.
This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed.
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
I do not have an installation that uses Apache at this point, but the
changes look correct and this was signed off and QAed by Chris and
Jonathan, both of whom have Apache installations.
SetEnv MEMCACHED_SERVERS "__MEMCACHED_SERVERS__"
SetEnv MEMCACHED_NAMESPACE "__MEMCACHED_NAMESPACE__"
+ <Directory "__OPAC_WWW_DIR__">
+ Options -Indexes
+ </Directory>
+
+ # Secure internal stuff
+ <DirectoryMatch "__OPAC_WWW_DIR__/.*/(modules|xslt|includes)">
+ Order deny,allow
+ Deny from all
+ </DirectoryMatch>
+
<IfModule mod_gzip.c>
mod_gzip_on yes
mod_gzip_dechunk yes
ErrorDocument 404 /cgi-bin/koha/errors/404.pl
ErrorDocument 500 /cgi-bin/koha/errors/500.pl
+ <Directory "__INTRANET_WWW_DIR__">
+ Options -Indexes
+ </Directory>
+
+ # Secure internal stuff
+ <DirectoryMatch "__INTRANET_WWW_DIR__/.*/(modules|xslt|includes)">
+ Order deny,allow
+ Deny from all
+ </DirectoryMatch>
+
<IfModule mod_gzip.c>
mod_gzip_on yes
mod_gzip_dechunk yes