Deny / hide access to files that start with dot, such as .git, .svn, .DS_Store, .yml

9

By default Apache denies access to files whose name begins with .ht , such as .htaccess :

<Files ~ "^\.ht">
    Require all denied
</Files>

But I notice that many files use the prefix . , like .gitignore . I think this file does not do any harm, but I still think that the use of the dot in the prefix is "strongly" directed to configuration files. I think it might be interesting to deny access to these files in general by doing something like:

RewriteEngine On

# Checa se o arquivo existe
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME} -f

# Emite status HTTP 403
RewriteRule ^(\.|/\.) - [F,L]

In IIS maybe something like:

<rule name="Redirect to routes" stopProcessing="true">
    <conditions>
        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
        <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
    </conditions>
    <match url="^(\.|/\.)" ignoreCase="false" />
    <action type="AbortRequest" />
</rule>
  

Add the file check because if the file does not exist it should issue 404 instead of 403.

Would this be a "good use" , or maybe . as a prefix have other uses besides configuration files?

If this is the case then you would swap for a "group" of file types:

(^|/)\.(git|gitignore|yml|svn)$
    
asked by anonymous 03.05.2017 / 17:54

2 answers

4

For the file server case, it is more reliable to block direct access to files / directories beginning with the . prefix, because it usually contains configuration information that may be confidential , is best lock by default and free by whitelist . I found this article that deals largely with your questions. Excerpt from this article:

  

01.06.2017 / 19:12
0

This is the solution I have used otherwise all the files with the right extension of . And so all files started by .giti are directed to the other side.

<Files ~ "^\.(htaccess|htpasswd)$">
deny from all
</Files>
ErrorDocument 404 /pt/404.php
RewriteEngine on
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*) https://www.exemplo.com/$1 [R=301,L]
DirectoryIndex index.php       
Redirect permanent /^(.giti*) /index.php
order deny,allow
    
03.06.2017 / 22:46