On Fri, Jul 25, 2014 at 2:33 PM, Nick Edwards <nick.z.edwa...@gmail.com> wrote:
> Howdy, > I've sent this to the roundcube list few days ago, no-one replied so , > since its also apache related, I'll ask here. > > <paste of message> > > Trying to understand the new "security" rules in .htaccess > > - deny access to files not containing a dot or starting with a dot > # in all locations except installer directory > > RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F] > > This doesn't quite make sense, we have a help/ directory, which is not > accessible because of this rule yet all files in that directory are > foo.img or index.php, bar.php > > change to > > RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F] > permits our help/ directory to be read, this is sub optimum because it > will be overwrite at next update again, does someone with good > knowledge of rewrite rules able to shed some light on this? > > <end paste> > So are roundcube folk doing it wrong? > > The entire rewrite rule section is (although my problem is fixed by > only the above line, but in case there is a relation I'll include the > full bit here: > > RewriteEngine On > RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico > > # security rules: > # - deny access to files not containing a dot or starting with a dot > # in all locations except installer directory > #RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F] <--- > this does NOT work > RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F] <--- this works > > # - deny access to some locations > RewriteRule > ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) > - [F] > # - deny access to some documentation files > RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ > - [F] > > > Thanks. > Nik > > This is not really apache related but is more subject of regular expressions. Looks like they are using Oniguruma regular expressions, see http://www.geocities.jp/kosako3/oniguruma/doc/RE.txt. Look at the "Extended groups" section for example: (?!subexp) - this is negative look-ahead expression You need to read the documentation to really understand them. I've dealt with it during Logstash setups, takes some time to get used to it ... if I'm right about this of course :-) Cheers, Igor
