- rel 2; fixes CVE-2016-5387

[packages/apache.git] / apache-common.conf

diff --git a/apache-common.conf b/apache-common.conf
index 8b1b75185129ff759f12abd913c1715bf290d859..085c5e7ef242e475e2b4aa970cbc154e200d5737 100644 (file)
--- a/apache-common.conf
+++ b/apache-common.conf
@@ -24,8 +24,11 @@ DocumentRoot "/home/services/httpd/html"
        </IfModule>
 </Directory>
 
-# Prevent .htaccess and .htpasswd files from being viewed by Web clients.
-<Files ".ht*">
+# Prevent access to:
+# - .htaccess and .htpasswd files
+# - backup files from being viewed
+# - PHP's .user.ini
+<FilesMatch  "^(\.ht.*|\.user\.ini|.*~|.*,v)$">
        <IfModule mod_authz_host.c>
                Require all denied
        </IfModule>
@@ -33,10 +36,11 @@ DocumentRoot "/home/services/httpd/html"
                Order deny,allow
                Deny from all
        </IfModule>
-</Files>
+</FilesMatch>
 
-# Prevent backup files from being viewed, too.
-<Files "*~">
+# Prevent access to:
+# - version control directories
+<DirectoryMatch "/(\.(svn|git|hg|bzr)|CVS)/?">
        <IfModule mod_authz_host.c>
                Require all denied
        </IfModule>
@@ -44,7 +48,7 @@ DocumentRoot "/home/services/httpd/html"
                Order deny,allow
                Deny from all
        </IfModule>
-</Files>
+</DirectoryMatch>
 
 #
 # This should be changed to whatever you set DocumentRoot to.