source: trunk/unsupported_plugins/.htaccess @ 1368

Last change on this file since 1368 was 1368, checked in by gogo, 20 months ago

ClientSideSpellcheck? is not a threat

File size: 4.3 KB
RevLine 
[1366]1<IfModule mod_setenvif.c>
2 
3  ErrorDocument 403 "This request has been denied because the plugin is potentially vulnerable and your IP is not approved. Developers can add approved IP addresses to the [...]/xinha/unsupported_plugins/.htaccess file"
4 
5  # Some unsupported plugins are potentially more dangerous to have
6  #  open-to-the-world than others due to the potential for unknown or
7  #  crept-in-through-php-updates type vulnerabilities
8  #
9  # As a result those plugins (see further below) are limited to approved
10  #  ip addresses only, which you can set below.
11 
12  # Localhost only by default, I figure if you are running locally there
13  # isn't much more bad can happen than already is.
14  ########################################################################
15  SetEnvIf Remote_Addr 127\.0\.0\.1 approved_ip
16 
17  # The following ranges are the Private IPv4 Space
18  # If you are allowing only your local network to access this, just
19  # uncomment the appropriate one(s)
20  ########################################################################
21  # SetEnvIf Remote_Addr 192\.168\.[0-9]+\.[0-9]+    approved_ip
22  # SetEnvIf Remote_Addr 10\.[0-9]+\.[0-9]+\.[0-9]+  approved_ip
23  # SetEnvIf Remote_Addr 172\.1[6-9]\.[0-9]+\.[0-9]+ approved_ip
24  # SetEnvIf Remote_Addr 172\.2[0-9]\.[0-9]+\.[0-9]+ approved_ip
25  # SetEnvIf Remote_Addr 172\.3[0-1]\.[0-9]+\.[0-9]+ approved_ip
26  ########################################################################
27 
28  # Add additional SetEnvIf to approve further IP addresses, note that
29  #  the IP address is a regular express, be sure to escape the dots.
30  ########################################################################
31  # SetEnvIf Remote_Addr 111\.111\.111\.111         approved_ip
32  # SetEnvIf Remote_Addr 123\.123\.123\.123         approved_ip
33  #########################################################################
34 
35  # Plugin List
36  #########################################################################
37  # We mark the safe plugins, anything not marked (commented out) is
38  #  regarded to be a potential threat.
39 
40  #SetEnvIf Request_URI "/BackgroundImage/" not_a_security_threat
41  #SetEnvIf Request_URI "/DoubleClick/" not_a_security_threat
42  #SetEnvIf Request_URI "/Filter/" not_a_security_threat
43  #SetEnvIf Request_URI "/InsertMarquee/" not_a_security_threat
44  #SetEnvIf Request_URI "/NoteServer/" not_a_security_threat 
45  #SetEnvIf Request_URI "/Template/" not_a_security_threat
46 
47  SetEnvIf Request_URI "/ExtendedFileManager/"  security_threat
48  SetEnvIf Request_URI "/HtmlTidy/"             security_threat
49  SetEnvIf Request_URI "/ImageManager/"         security_threat
50  SetEnvIf Request_URI "/InsertPicture/"        security_threat
51  SetEnvIf Request_URI "/SpellChecker/"         security_threat
52 
53  SetEnvIf Request_URI "/PersistentStorage/"    security_threat
54    SetEnvIf Request_URI "/PSFixed/"            security_threat
55    SetEnvIf Request_URI "/PSLocal/"            security_threat
56    SetEnvIf Request_URI "/PSServer/"           security_threat
57 
58  # And this is where we deny things, hopefully this concoction of rules
59  #  works in most typical Apache situations.
60 
61  # Apache < 2.3
62  <IfModule !mod_authz_core.c>
63      # Deny,Allow means
64      #  if both match then allow,
65      #  else if neither match then allow,
66      #  else if deny matches then deny,
67      #  else if allow matches then allow     
68      Order Deny,Allow
69      Deny from env=security_threat
70      Allow from env=approved_ip
71  </IfModule>
72
73  # Apache >= 2.3
74  <IfModule mod_authz_core.c>
75   
76    # Which has the compatibility module, we will have to use
77    #  this also to make sure that is denied in case the
78    #  vhose includes old rules too which would override
79    #  the new Require directives
80    <IfModule mod_access_compat.c>
81      Order Deny,Allow
82      Deny from env=security_threat
83      Allow from env=approved_ip
84    </IfModule>
85   
86    # Finally Apache >= 2.3 properly (why did they make this so confusing)
87    <RequireAny>
88      # Deny everybody by default
89      Require all denied
90     
91      # Except if it's not a security threat
92      <RequireAll>
93        Require all granted
94        Require not env security_threat
95      </RequireAll>
96     
97      # Except if it's an approved IP
98      <RequireAll>
99        Require all granted
100        Require env approved_ip
101      </RequireAll>
102    </RequireAny>
103  </IfModule>
104 
105</IfModule>
Note: See TracBrowser for help on using the repository browser.