From 6bd7660d228d73f4cbdcd773aef61a2993f1c237 Mon Sep 17 00:00:00 2001
From: Michael Roitzsch <reactorcontrol@icloud.com>
Date: Fri, 20 Nov 2015 22:37:06 +0100
Subject: [PATCH] rudimentary htaccess security

---
 .htaccess      | 33 +++++++++++++++------------------
 .htaccess.poll |  4 ++++
 index.cgi      |  1 +
 3 files changed, 20 insertions(+), 18 deletions(-)
 create mode 100644 .htaccess.poll

diff --git a/.htaccess b/.htaccess
index 494da8d..5a07894 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,22 +1,19 @@
-<FilesMatch "^\.ht.*">
-	deny from all
-	satisfy all
-	ErrorDocument 403 "Access to these files is forbidden!"
-</FilesMatch>
+DirectoryIndex index.cgi
+AddHandler cgi-script .cgi
 
-<FilesMatch "^data.yaml$">
-	deny from all
-	satisfy all
-	ErrorDocument 403 "Access to these files is forbidden!"
-</FilesMatch>
+RewriteEngine on
+RewriteBase /
 
-RewriteEngine On
-RewriteRule \.git.* /data.yaml
 
-Options +ExecCGI
-AddHandler cgi-script .cgi
-DirectoryIndex index.cgi
+# add trailing slash to subdirectory requests
+RewriteRule ^([^./]+)$ $1/ [R=permanent,L]
+
+
+<FilesMatch "^(.*\.css|favicon\.ico|[^./]+)$">
+	Satisfy any
+	Allow from all
+</FilesMatch>
 
-ErrorDocument 500 /error.cgi
-ErrorDocument 404 /not_found.cgi
-ErrorDocument 401 /authorization_required.cgi
+<Files data.yaml>
+	Deny from all
+</Files>
diff --git a/.htaccess.poll b/.htaccess.poll
new file mode 100644
index 0000000..6ed471f
--- /dev/null
+++ b/.htaccess.poll
@@ -0,0 +1,4 @@
+<FilesMatch "^(|index\.cgi)$">
+        Satisfy any
+        Allow from all
+</FilesMatch>
diff --git a/index.cgi b/index.cgi
index a785d81..aadc12c 100755
--- a/index.cgi
+++ b/index.cgi
@@ -50,6 +50,7 @@ if $cgi.include?("create_poll") && $cgi.include?("poll_url")
 			createnotice = _("A Poll with this address already exists.")
 		else Dir.mkdir(POLLURL)
 			Dir.chdir(POLLURL)
+			File.symlink("../.htaccess.poll",".htaccess")
 			File.symlink("../participate.rb","index.cgi")
 			["overview", "edit_columns", "delete_poll", "invite_participants"].each{|f|
 				File.symlink("../#{f}.rb","#{f}.cgi")