From 4d6ef841e2c6825406e0b4993f3b366e35f7841e Mon Sep 17 00:00:00 2001
From: Tim Starling <tstarling@wikimedia.org>
Date: Fri, 4 Apr 2025 17:08:47 +1100
Subject: In .htaccess deny files, use "Satisfy All"

These .htaccess files are intended to prohibit all web access. But if
the user sets "Satisfy Any" on a parent directory, in conjunction with
any permissive require directive like "Require all granted", access will
be allowed despite "Require all denied" in .htaccess.

So, override Satisfy so that the "Require all denied" will reliably take
effect.

Note that "Satisfy All" is the default. This only affects non-default
installations.

Change-Id: Ia5862fb69e439b7ea2ed7af011e1ebf8f1b1f6d6
(cherry picked from commit a50d2e69f8ce9e5720b05615d04c35cc9008b6ae)
---
 maintenance/.htaccess          | 1 +
 maintenance/archives/.htaccess | 1 +
 2 files changed, 2 insertions(+)

(limited to 'maintenance')

diff --git a/maintenance/.htaccess b/maintenance/.htaccess
index b66e80882967..2e5c00314d2f 100644
--- a/maintenance/.htaccess
+++ b/maintenance/.htaccess
@@ -1 +1,2 @@
 Require all denied
+Satisfy All
diff --git a/maintenance/archives/.htaccess b/maintenance/archives/.htaccess
index b66e80882967..2e5c00314d2f 100644
--- a/maintenance/archives/.htaccess
+++ b/maintenance/archives/.htaccess
@@ -1 +1,2 @@
 Require all denied
+Satisfy All
-- 
cgit v1.2.3