Bug 9812 - Forbid access to several files through the browser

This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser.
Specifically "xlst", "modules" and "includes" dirs and its contents.

This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
I do not have an installation that uses Apache at this point, but the
changes look correct and this was signed off and QAed by Chris and
Jonathan, both of whom have Apache installations.

diff --git a/etc/koha-httpd.conf b/etc/koha-httpd.conf
index 67c54f0..dd5ec41 100644 (file)
--- a/etc/koha-httpd.conf
+++ b/etc/koha-httpd.conf
@@ -20,6 +20,16 @@
    SetEnv MEMCACHED_SERVERS "__MEMCACHED_SERVERS__"
    SetEnv MEMCACHED_NAMESPACE "__MEMCACHED_NAMESPACE__"
 
+   <Directory "__OPAC_WWW_DIR__">
+      Options -Indexes
+   </Directory>
+
+   # Secure internal stuff
+   <DirectoryMatch "__OPAC_WWW_DIR__/.*/(modules|xslt|includes)">
+      Order deny,allow
+      Deny from all
+   </DirectoryMatch>
+
    <IfModule mod_gzip.c>
      mod_gzip_on yes
      mod_gzip_dechunk yes
@@ -122,6 +132,16 @@
    ErrorDocument 404 /cgi-bin/koha/errors/404.pl
    ErrorDocument 500 /cgi-bin/koha/errors/500.pl
 
+   <Directory "__INTRANET_WWW_DIR__">
+      Options -Indexes
+   </Directory>
+
+   # Secure internal stuff
+   <DirectoryMatch "__INTRANET_WWW_DIR__/.*/(modules|xslt|includes)">
+      Order deny,allow
+      Deny from all
+   </DirectoryMatch>
+
    <IfModule mod_gzip.c>
      mod_gzip_on yes
      mod_gzip_dechunk yes