diff options
| author | Tim Starling <tstarling@wikimedia.org> | 2025-04-04 17:08:47 +1100 |
|---|---|---|
| committer | Reedy <reedy@wikimedia.org> | 2025-04-04 13:33:54 +0000 |
| commit | 4d6ef841e2c6825406e0b4993f3b366e35f7841e (patch) | |
| tree | 9338194dcab113e3c5824cb9e89054e9d8c80414 | |
| parent | 3a700aec5852baa787b14ce8d8d5850903c3e18b (diff) | |
| download | mediawikicore-REL1_42.tar.gz mediawikicore-REL1_42.zip | |
In .htaccess deny files, use "Satisfy All"REL1_42
These .htaccess files are intended to prohibit all web access. But if
the user sets "Satisfy Any" on a parent directory, in conjunction with
any permissive require directive like "Require all granted", access will
be allowed despite "Require all denied" in .htaccess.
So, override Satisfy so that the "Require all denied" will reliably take
effect.
Note that "Satisfy All" is the default. This only affects non-default
installations.
Change-Id: Ia5862fb69e439b7ea2ed7af011e1ebf8f1b1f6d6
(cherry picked from commit a50d2e69f8ce9e5720b05615d04c35cc9008b6ae)
| -rw-r--r-- | cache/.htaccess | 1 | ||||
| -rw-r--r-- | includes/.htaccess | 1 | ||||
| -rw-r--r-- | includes/composer/ComposerVendorHtaccessCreator.php | 4 | ||||
| -rw-r--r-- | includes/installer/SqliteInstaller.php | 4 | ||||
| -rw-r--r-- | includes/libs/filebackend/FSFileBackend.php | 3 | ||||
| -rw-r--r-- | languages/.htaccess | 1 | ||||
| -rw-r--r-- | maintenance/.htaccess | 1 | ||||
| -rw-r--r-- | maintenance/archives/.htaccess | 1 | ||||
| -rw-r--r-- | tests/.htaccess | 1 | ||||
| -rw-r--r-- | tests/phpunit/unit/includes/installer/SqliteInstallerTest.php | 2 |
10 files changed, 15 insertions, 4 deletions
diff --git a/cache/.htaccess b/cache/.htaccess index b66e80882967..2e5c00314d2f 100644 --- a/cache/.htaccess +++ b/cache/.htaccess @@ -1 +1,2 @@ Require all denied +Satisfy All diff --git a/includes/.htaccess b/includes/.htaccess index b66e80882967..2e5c00314d2f 100644 --- a/includes/.htaccess +++ b/includes/.htaccess @@ -1 +1,2 @@ Require all denied +Satisfy All diff --git a/includes/composer/ComposerVendorHtaccessCreator.php b/includes/composer/ComposerVendorHtaccessCreator.php index e2a079b021d5..ef835fa1d898 100644 --- a/includes/composer/ComposerVendorHtaccessCreator.php +++ b/includes/composer/ComposerVendorHtaccessCreator.php @@ -40,6 +40,8 @@ class ComposerVendorHtaccessCreator { return; } - file_put_contents( $fname, "Require all denied\n" ); + file_put_contents( $fname, + "Require all denied\n" . + "Satisfy All\n" ); } } diff --git a/includes/installer/SqliteInstaller.php b/includes/installer/SqliteInstaller.php index c0e7480bef78..7a5d27b2131a 100644 --- a/includes/installer/SqliteInstaller.php +++ b/includes/installer/SqliteInstaller.php @@ -154,7 +154,9 @@ class SqliteInstaller extends DatabaseInstaller { } } # Put a .htaccess file in case the user didn't take our advice - file_put_contents( "$dir/.htaccess", "Require all denied\n" ); + file_put_contents( "$dir/.htaccess", + "Require all denied\n" . + "Satisfy All\n" ); return Status::newGood(); } diff --git a/includes/libs/filebackend/FSFileBackend.php b/includes/libs/filebackend/FSFileBackend.php index 78c698a29d15..d84e3a8399d5 100644 --- a/includes/libs/filebackend/FSFileBackend.php +++ b/includes/libs/filebackend/FSFileBackend.php @@ -966,7 +966,8 @@ class FSFileBackend extends FileBackendStore { * @return string */ protected function htaccessPrivate() { - return "Require all denied\n"; + return "Require all denied\n" . + "Satisfy All\n"; } /** diff --git a/languages/.htaccess b/languages/.htaccess index b66e80882967..2e5c00314d2f 100644 --- a/languages/.htaccess +++ b/languages/.htaccess @@ -1 +1,2 @@ Require all denied +Satisfy All diff --git a/maintenance/.htaccess b/maintenance/.htaccess index b66e80882967..2e5c00314d2f 100644 --- a/maintenance/.htaccess +++ b/maintenance/.htaccess @@ -1 +1,2 @@ Require all denied +Satisfy All diff --git a/maintenance/archives/.htaccess b/maintenance/archives/.htaccess index b66e80882967..2e5c00314d2f 100644 --- a/maintenance/archives/.htaccess +++ b/maintenance/archives/.htaccess @@ -1 +1,2 @@ Require all denied +Satisfy All diff --git a/tests/.htaccess b/tests/.htaccess index b66e80882967..2e5c00314d2f 100644 --- a/tests/.htaccess +++ b/tests/.htaccess @@ -1 +1,2 @@ Require all denied +Satisfy All diff --git a/tests/phpunit/unit/includes/installer/SqliteInstallerTest.php b/tests/phpunit/unit/includes/installer/SqliteInstallerTest.php index ac706df36070..144220a6bbce 100644 --- a/tests/phpunit/unit/includes/installer/SqliteInstallerTest.php +++ b/tests/phpunit/unit/includes/installer/SqliteInstallerTest.php @@ -61,7 +61,7 @@ class SqliteInstallerTest extends MediaWikiUnitTestCase { $dir = sys_get_temp_dir() . '/' . uniqid( 'MediaWikiTest' ); $status = $method->invoke( null, $dir ); $this->assertStatusGood( $status ); - $this->assertSame( "Require all denied\n", file_get_contents( "$dir/.htaccess" ) ); + $this->assertSame( "Require all denied\nSatisfy All\n", file_get_contents( "$dir/.htaccess" ) ); unlink( "$dir/.htaccess" ); rmdir( $dir ); } |