rudimentary htaccess security

mroi · May 31, 2016 · 6bd7660 · 6bd7660
1 parent 6334297
commit 6bd7660
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 18 deletions.
diff --git a/.htaccess b/.htaccess
@@ -1,22 +1,19 @@
-<FilesMatch "^\.ht.*">
-	deny from all
-	satisfy all
-	ErrorDocument 403 "Access to these files is forbidden!"
-</FilesMatch>
+DirectoryIndex index.cgi
+AddHandler cgi-script .cgi
 
-<FilesMatch "^data.yaml$">
-	deny from all
-	satisfy all
-	ErrorDocument 403 "Access to these files is forbidden!"
-</FilesMatch>
+RewriteEngine on
+RewriteBase /
 
-RewriteEngine On
-RewriteRule \.git.* /data.yaml
 
-Options +ExecCGI
-AddHandler cgi-script .cgi
-DirectoryIndex index.cgi
+# add trailing slash to subdirectory requests
+RewriteRule ^([^./]+)$ $1/ [R=permanent,L]
+
+
+<FilesMatch "^(.*\.css|favicon\.ico|[^./]+)$">
+	Satisfy any
+	Allow from all
+</FilesMatch>
 
-ErrorDocument 500 /error.cgi
-ErrorDocument 404 /not_found.cgi
-ErrorDocument 401 /authorization_required.cgi
+<Files data.yaml>
+	Deny from all
+</Files>
diff --git a/.htaccess.poll b/.htaccess.poll
@@ -0,0 +1,4 @@
+<FilesMatch "^(|index\.cgi)$">
+        Satisfy any
+        Allow from all
+</FilesMatch>
diff --git a/index.cgi b/index.cgi
@@ -50,6 +50,7 @@ if $cgi.include?("create_poll") && $cgi.include?("poll_url")
 			createnotice = _("A Poll with this address already exists.")
 		else Dir.mkdir(POLLURL)
 			Dir.chdir(POLLURL)
+			File.symlink("../.htaccess.poll",".htaccess")
 			File.symlink("../participate.rb","index.cgi")
 			["overview", "edit_columns", "delete_poll", "invite_participants"].each{|f|
 				File.symlink("../#{f}.rb","#{f}.cgi")