Deny/hide access to files starting with dot, like . git, . svn, . Ds_store, . yml

Asked

Viewed 742 times

9

By default Apache denies access to files whose name begins with .ht, as an example .htaccess:

<Files ~ "^\.ht">
    Require all denied
</Files>

But I notice that many files use the prefix ., like the .gitignore. I believe that this file does no harm, I still think that the use of the point in the prefix is "strongly" directed to configuration files. I think it might be interesting to deny access to these files in general by doing something like:

RewriteEngine On

# Checa se o arquivo existe
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME} -f

# Emite status HTTP 403
RewriteRule ^(\.|/\.) - [F,L]

In IIS maybe it’s something like:

<rule name="Redirect to routes" stopProcessing="true">
    <conditions>
        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
    </conditions>
    <match url="^(\.|/\.)" ignoreCase="false" />
    <action type="AbortRequest" />
</rule>

Add the file check because if the file does not exist it should emit 404 and not 403.

This would be a "good use", or maybe the . as prefix has other uses besides settings files?

If this then trade for a "group" of file types:

(^|/)\.(git|gitignore|yml|svn)$
apache htaccess security-guard iis web.config
  • 1

    On Unix file systems, files starting with . are considered "hidden", and do not appear when listing the files of a directory using ls (it must be said ls -a to see them). Therefore it is common for configuration files to start by the dot, but not necessarily all files starting by the dot are by being configuration. Of course, all of this is orthogonal to the question of whether or not they should be hidden by Apache/IIS; this is a "business" decision for you, and there are no technical arguments either for or against.

  • A doubt in htaccess, there is no need to escape the point and bar ? RewriteRule ^(\.|/\.) - [F,L]

  • @Magichat the bar is an escape to the point, in case the point without the backslash would be like saying "match anything, including multiple lines", the \. is like saying just point, because this is Regex. Note: the normal bar / has nothing to do with the escape, it is used to check if the PATH is inside a "folder", like: if you find a file in root ^\. as: .git, if you find a file inside a folder foo/bar/.git

  • @Wtrmute is this same the premise of my thinking and why I formulated the question. Thank you ;)

  • William, that would be a good use yes. I follow the own Apache who claims to be good practice.

  • 1

    So, if you really don’t want the guy to know you have those files, launch a 404 even. This is how I want gitlab to do with private projects: those who are outside do not even see the possibility of these projects exist. This gives an extra layer of security, even more if it is something with confidential information, as may be the case of internal files in the directory .git

  • 1

    @Jeffersonquesado is precisely this my doubt, I was thinking of making them purely invisible, ie if creating a route on the type server on wikipedia https://pt.wikipedia.org/wiki/.htaccess the user of a route web framework could create something like wikipedia did, custom page :) Thank you!

  • Want the answer on ISS or Apache? I got confused.

  • @Everson is not ISS is IIS, is the server used by Microsoft

  • @Why did you give me a downvote? Seriously I explained to you in a good way, I will not deny your posts because this is not ideal, but really I explained everything to you in a good way, it was the opportunity for you to improve, I did not even deny your answer there, you really think that this was necessary?

  • @Guilhermenascimento was not actually downvote, but Favorites to see what the correct answer was. But I tried to change and I’m not getting it until the question is edited. Please, I could edit anything to put in the correct option?

  • Corrected! Thank you.

  • @Everson Okay, thank you. I’ll take a look at the RFC if I find something on the subject and let you know, maybe you can formulate an answer ;) ... I wanted to give the opportunity for someone to answer on the subject.

Show 8 more comments

2 answers

4

For file server case, it is more reliable to block direct access to files/directories that start with prefix ., because it usually contains configuration information that can be confidential, better lock by default and release by whitelist. I found that article which largely deals with your doubts. Excerpt from this article:

Disabling Hidden files Both on the request side and the file serving side should Protect you from Leaking Hidden files, Barring other application security holes.

In free translation:

Disabling hidden files, both on the request side and on the file service side, should protect you from leaking hidden files by blocking other security holes in the application.

Of course, it depends a lot on how your project and your deploy; if you make a deploy zip extraction, and zip ensure that you will not have the files with confidential information (for example, using a make package.zip that will compress all your scripts into a zip).

For links that have as suffix o . but that do not redirect to files (such as you yourself commented), has no restrictions. For example, the Wikimedia is all written in PHP, often with deploy to run on Apache Server and intercept the URL and interpret what needs to be sent, not serving the file directly (with the exception of files uploaded).

  • 1

    The answer is almost there, but between blocking and hiding and the question of hiding just a few or hiding all?

  • @Guilhermenascimento tried to talk about hiding everyone on the part of whitelist, and the default would be to block. The idea in this answer is more something for a bootstrap for a more complete answer

0

This is the solution I have been using otherwise would be directed all files with extension to the right of the . And so all the files started by .giti are directed elsewhere.

<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
ErrorDocument 404 /pt/404.php
RewriteEngine on
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*) https://www.exemplo.com/$1 [R=301,L]
DirectoryIndex index.php       
Redirect permanent /^(.giti*) /index.php
order deny,allow

  • Thank you for trying, but I am not looking for "solutions" to block, deny, etc, all this I know how to do, the issue has nothing to do directly with . htaccess, the problem with the question is "recommendation", something like RFC (https://www.ietf.org/rfc/), as I said when I added the recomenpensa "Please avoid very opinionated answers."

Browser other questions tagged apache htaccess security-guard iis web.config

You are not signed in. Login or sign up in order to post.