In .htaccess deny files, use "Satisfy All"

These .htaccess files are intended to prohibit all web access. But if the user sets "Satisfy Any" on a parent directory, in conjunction with any permissive require directive like "Require all granted", access will be allowed despite "Require all denied" in .htaccess. So, override Satisfy so that the "Require all denied" will reliably take effect. Note that "Satisfy All" is the default. This only affects non-default installations. Change-Id: Ia5862fb69e439b7ea2ed7af011e1ebf8f1b1f6d6
author: Tim Starling <tstarling@wikimedia.org> 2025-04-04 17:08:47 +1100
committer: Tim Starling <tstarling@wikimedia.org> 2025-04-04 17:32:46 +1100
commit: a50d2e69f8ce9e5720b05615d04c35cc9008b6ae (patch)
tree: f078e7192aadd79ddcc3734b4001a09a062dc5fd /includes/composer
parent: 2765fb39c3b7426c8f9501745a10fe89baea3a4c (diff)
download: mediawikicore-a50d2e69f8ce9e5720b05615d04c35cc9008b6ae.tar.gz
mediawikicore-a50d2e69f8ce9e5720b05615d04c35cc9008b6ae.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/includes/composer/ComposerVendorHtaccessCreator.php b/includes/composer/ComposerVendorHtaccessCreator.php
index e2a079b021d5..ef835fa1d898 100644
--- a/includes/composer/ComposerVendorHtaccessCreator.php
+++ b/includes/composer/ComposerVendorHtaccessCreator.php
@@ -40,6 +40,8 @@ class ComposerVendorHtaccessCreator {
 			return;
 		}
 
-		file_put_contents( $fname, "Require all denied\n" );
+		file_put_contents( $fname,
+			"Require all denied\n" .
+			"Satisfy All\n" );
 	}
 }
author	Tim Starling <tstarling@wikimedia.org>	2025-04-04 17:08:47 +1100
committer	Tim Starling <tstarling@wikimedia.org>	2025-04-04 17:32:46 +1100
commit	a50d2e69f8ce9e5720b05615d04c35cc9008b6ae (patch)
tree	f078e7192aadd79ddcc3734b4001a09a062dc5fd /includes/composer
parent	2765fb39c3b7426c8f9501745a10fe89baea3a4c (diff)
download	mediawikicore-a50d2e69f8ce9e5720b05615d04c35cc9008b6ae.tar.gz mediawikicore-a50d2e69f8ce9e5720b05615d04c35cc9008b6ae.zip