From 4c2f51256f2c914a10c0c7aa59311c5862d2a480 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sat, 20 Jan 2018 16:20:53 +0100 Subject: [PATCH 1/3] htaccess: prevent accessing resources not managed by SCM See: - https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/ - https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing - https://httpd.apache.org/docs/current/mod/mod_rewrite.html Signed-off-by: VirtualTam --- .htaccess | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.htaccess b/.htaccess index 66ef8f6..19dd72a 100644 --- a/.htaccess +++ b/.htaccess @@ -1,4 +1,12 @@ +# Disable directory listing +Options -Indexes + RewriteEngine On + +# Prevent accessing subdirectories not managed by SCM +RewriteRule ^(.git|doxygen|vendor) - [F] + +# REST API RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^ index.php [QSA,L] From d1e8f152f6a3e7ed5df0ec7f9261d475a777d28a Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Thu, 22 Mar 2018 22:23:41 +0100 Subject: [PATCH 2/3] httpd: always forward the 'Authorization' header On some Apache HTTPD setups where the CGI/FastCGI mode is used, the HTTP header containing the JWT token is not forwarded, which results in the following error when attempting to use the REST API: "401 Not authorized: JWT token not provided" This patch allows forwarding the 'Authorization' header. An alternative would be to use the `CGIPassAuth` directive to allow all authorization headers to be forwarded. See: - https://secure.php.net/manual/en/features.http-auth.php#114877 - https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request - https://stackoverflow.com/questions/13387516/authorization-header-missing-in-django-rest-framework-is-apache-to-blame - https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers - https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth Signed-off-by: VirtualTam --- .htaccess | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.htaccess b/.htaccess index 19dd72a..7ba4744 100644 --- a/.htaccess +++ b/.htaccess @@ -6,6 +6,10 @@ RewriteEngine On # Prevent accessing subdirectories not managed by SCM RewriteRule ^(.git|doxygen|vendor) - [F] +# Forward the "Authorization" HTTP header +RewriteCond %{HTTP:Authorization} ^(.*) +RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] + # REST API RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d From e36479d9ffd71b504bc99501ea1fef2579ff46b6 Mon Sep 17 00:00:00 2001 From: VirtualTam Date: Sun, 25 Mar 2018 20:00:26 +0200 Subject: [PATCH 3/3] Bump Shaarli version to v0.9.6 Signed-off-by: VirtualTam --- CHANGELOG.md | 6 +++++- shaarli_version.php | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0e737d8..14a4f14 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). -## [v0.10.0](https://github.com/shaarli/Shaarli/releases/tag/v0.10.0) - UNPUBLISHED +## [v0.9.6](https://github.com/shaarli/Shaarli/releases/tag/v0.9.6) - 2018-03-25 +## Changed +- htaccess: prevent accessing resources not managed by SCM +- htaccess: always forward the 'Authorization' HTTP header + ## [v0.9.5](https://github.com/shaarli/Shaarli/releases/tag/v0.9.5) - 2018-02-02 ### Fixed diff --git a/shaarli_version.php b/shaarli_version.php index a47757c..6bd0f82 100644 --- a/shaarli_version.php +++ b/shaarli_version.php @@ -1 +1 @@ - +