From f5593842dc99211192955a4e70818de18b6204b5 Mon Sep 17 00:00:00 2001
From: Tomas Cohen Arazi <tomascohen@gmail.com>
Date: Wed, 13 Mar 2013 14:24:20 -0300
Subject: [PATCH] Bug 9812 - Forbid access to several files through the browser

This patch hides (-Indexes) and forbids (Deny from all) access to some stuff through a browser.
Specifically "xlst", "modules" and "includes" dirs and its contents.

This is just a quick fix we talked about at IRC. The proper solution would be to remove this from htdocs which will still be needed.

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Jonathan Druart <jonathan.druart@biblibre.com>
Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
---
 etc/koha-httpd.conf | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/etc/koha-httpd.conf b/etc/koha-httpd.conf
index dc82d08a39..9233b53fff 100644
--- a/etc/koha-httpd.conf
+++ b/etc/koha-httpd.conf
@@ -20,6 +20,16 @@
    SetEnv MEMCACHED_SERVERS "__MEMCACHED_SERVERS__"
    SetEnv MEMCACHED_NAMESPACE "__MEMCACHED_NAMESPACE__"
 
+   <Directory "__OPAC_WWW_DIR__">
+      Options -Indexes
+   </Directory>
+
+   # Secure internal stuff
+   <DirectoryMatch "__OPAC_WWW_DIR__/.*/(modules|xslt|includes)">
+      Order deny,allow
+      Deny from all
+   </DirectoryMatch>
+
    <IfModule mod_gzip.c>
      mod_gzip_on yes
      mod_gzip_dechunk yes
@@ -119,6 +129,16 @@
    ErrorDocument 404 /cgi-bin/koha/errors/404.pl
    ErrorDocument 500 /cgi-bin/koha/errors/500.pl
 
+   <Directory "__INTRANET_WWW_DIR__">
+      Options -Indexes
+   </Directory>
+
+   # Secure internal stuff
+   <DirectoryMatch "__INTRANET_WWW_DIR__/.*/(modules|xslt|includes)">
+      Order deny,allow
+      Deny from all
+   </DirectoryMatch>
+
    <IfModule mod_gzip.c>
      mod_gzip_on yes
      mod_gzip_dechunk yes
-- 
2.39.5