Bug 62867 - Prevent access to the dot prefixed files by default
Summary: Prevent access to the dot prefixed files by default
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Runtime Config (show other bugs)
Version: 2.4.37
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-30 08:24 UTC by Vladimir Smitka
Modified: 2018-10-30 08:24 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Smitka 2018-10-30 08:24:11 UTC
There is configuration block to prevent access to .ht prefixed files in the default config:

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ".ht*">
    Require all denied
</Files> 

I think it would be wise to extend it to all dot prefixed (hidden) files and dirs except .well-known.

<Directory ~ "/\.(?!well-known\/)">
    Require all denied
</Directory>

I found hundreds of thousands sites with exposed .git directory because of it (https://lynt.cz/blog/global-scan-exposed-git, https://smitka.me/open-git).

It isn't only about .git, other VCS have the same problem and it is known long time (https://news.ycombinator.com/item?id=838981). Another examples are .DS_Store or temp files created by text editors like vim.

I understand that the webserver shouldn't interfere with the application too much, but I belive it would be nice step to the slightly better security.