From a50d2e69f8ce9e5720b05615d04c35cc9008b6ae Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@wikimedia.org>
Date: Fri, 4 Apr 2025 17:08:47 +1100
Subject: In .htaccess deny files, use "Satisfy All"

These .htaccess files are intended to prohibit all web access. But if
the user sets "Satisfy Any" on a parent directory, in conjunction with
any permissive require directive like "Require all granted", access will
be allowed despite "Require all denied" in .htaccess.

So, override Satisfy so that the "Require all denied" will reliably take
effect.

Note that "Satisfy All" is the default. This only affects non-default
installations.

Change-Id: Ia5862fb69e439b7ea2ed7af011e1ebf8f1b1f6d6
---
 includes/composer/ComposerVendorHtaccessCreator.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'includes/composer')

diff --git a/includes/composer/ComposerVendorHtaccessCreator.php b/includes/composer/ComposerVendorHtaccessCreator.php
index e2a079b021d5..ef835fa1d898 100644
--- a/includes/composer/ComposerVendorHtaccessCreator.php
+++ b/includes/composer/ComposerVendorHtaccessCreator.php
@@ -40,6 +40,8 @@ class ComposerVendorHtaccessCreator {
 			return;
 		}
 
-		file_put_contents( $fname, "Require all denied\n" );
+		file_put_contents( $fname,
+			"Require all denied\n" .
+			"Satisfy All\n" );
 	}
 }
-- 
cgit v1.2.3