search

anvc / scalar

Born-digital, open source, media-rich scholarly publishing that’s as easy as blogging.
Other
231 stars 73 forks source link

Improved file access restrictions #223

Closed paulmer closed 10 months ago

paulmer commented 12 months ago

A number of enhancements to improve security and behavior of Scalar:

  1. Set result status to 503 (Service Unavailable) when site is redirected to maintenance.html
  2. Redirect all requests other than those to the top level maintenance.html when routing to maintenance page. (Anchored comparison to request URI.
  3. Removes assumption that Scalar is installed at DOCUMENT_ROOT (uses CONTEXT_DOCUMENT_ROOT instead).
  4. Makes file name matching more precise by using anchors and path separators in conditions to prevent matching specially crafted file names.
  5. Protects hidden files and files not part of Scalar (ie., .git, READMEs, etc.)
  6. Removes rules that cannot match (^/.*) in an .htaccess file.
craigdietrich commented 11 months ago

Thanks, @paulmer, checking this now

craigdietrich commented 10 months ago

@paulmer Awesome work, thanks for contributing!