Accepting request 353836 from server:php:applications

1 OBS-URL: https://build.opensuse.org/request/show/353836 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/roundcubemail?expand=0&rev=36
2016-01-17 08:23:22 +00:00 · 2016-01-17 08:23:22 +00:00 · 456c888f92
commit 456c888f92
parent 1e89ae1bc8 bba1cae52a
2 changed files with 16 additions and 7 deletions
--- a/roundcubemail-httpd.conf
+++ b/roundcubemail-httpd.conf
@ -48,6 +48,7 @@ AddType text/x-component .htc
        php_value       post_max_size                   6M
        php_value       memory_limit                    64M

+        php_flag        register_globals                Off
        php_flag        zlib.output_compression         Off
        php_flag        magic_quotes_gpc                Off
        php_flag        magic_quotes_runtime            Off
@ -59,18 +60,21 @@ AddType text/x-component .htc
        php_value       session.gc_maxlifetime          21600
        php_value       session.gc_divisor              500
        php_value       session.gc_probability          1
-
-        # http://bugs.php.net/bug.php?id=30766
-        php_value       mbstring.func_overload          0
    </IfModule>

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
+
+        # security rules:
+        # - deny access to files not containing a dot or starting with a dot
+        #   in all locations except installer directory
+        RewriteRule ^(?!installer|\.well-known\/|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
+        # - deny access to some locations
+        RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+        # - deny access to some documentation files
+        RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
        # security rules
-        RewriteRule .git - [F]
-        RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|SQL|bin|CHANGELOG)$ - [F]
-        RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
    </IfModule>

    <IfModule mod_deflate.c>
--- a/roundcubemail.changes
+++ b/roundcubemail.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jan 15 11:57:10 UTC 2016 - aj@ajaissle.de
+
+- Changed apache2 config
+
 -------------------------------------------------------------------
 Thu Dec 31 10:42:03 UTC 2015 - lars@linux-schulserver.de

@ -20,7 +25,7 @@ Thu Dec 31 10:42:03 UTC 2015 - lars@linux-schulserver.de
    Fix regression in displaying contents of message/rfc822 parts (#1490606)
    Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
    Fix PDF support detection in Firefox > 19 (#1490610)
-    Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620)
+    Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067]
    Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619) 

 - explicitely add required PHP packages (according to INSTALL):