From 83cf63f7a8c3bcb972afcb3c0dbed6cad8ba19c5 Mon Sep 17 00:00:00 2001
From: Tomas Cohen Arazi <tomascohen@gmail.com>
Date: Wed, 13 Mar 2013 14:24:20 -0300
Subject: [PATCH] Bug 9812 - Forbid access to several files through the browser

This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser.
Specifically "xlst", "modules" and "includes" dirs and its contents.

This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
I do not have an installation that uses Apache at this point, but the
changes look correct and this was signed off and QAed by Chris and
Jonathan, both of whom have Apache installations.
---
 etc/koha-httpd.conf | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/etc/koha-httpd.conf b/etc/koha-httpd.conf
index 67c54f09a4..dd5ec4185c 100644
--- a/etc/koha-httpd.conf
+++ b/etc/koha-httpd.conf
@@ -20,6 +20,16 @@
    SetEnv MEMCACHED_SERVERS "__MEMCACHED_SERVERS__"
    SetEnv MEMCACHED_NAMESPACE "__MEMCACHED_NAMESPACE__"
 
+   <Directory "__OPAC_WWW_DIR__">
+      Options -Indexes
+   </Directory>
+
+   # Secure internal stuff
+   <DirectoryMatch "__OPAC_WWW_DIR__/.*/(modules|xslt|includes)">
+      Order deny,allow
+      Deny from all
+   </DirectoryMatch>
+
    <IfModule mod_gzip.c>
      mod_gzip_on yes
      mod_gzip_dechunk yes
@@ -122,6 +132,16 @@
    ErrorDocument 404 /cgi-bin/koha/errors/404.pl
    ErrorDocument 500 /cgi-bin/koha/errors/500.pl
 
+   <Directory "__INTRANET_WWW_DIR__">
+      Options -Indexes
+   </Directory>
+
+   # Secure internal stuff
+   <DirectoryMatch "__INTRANET_WWW_DIR__/.*/(modules|xslt|includes)">
+      Order deny,allow
+      Deny from all
+   </DirectoryMatch>
+
    <IfModule mod_gzip.c>
      mod_gzip_on yes
      mod_gzip_dechunk yes
-- 
2.20.1