From bba1cae52a1017b8c855495a08ad26876e19ca3c9ce5b073613330e3ffb6c8f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aeneas=20Jai=C3=9Fle?= <aj@ajaissle.de>
Date: Fri, 15 Jan 2016 12:06:27 +0000
Subject: [PATCH] Accepting request 353835 from
 home:aeneas_jaissle:branches:server:php:applications

OBS-URL: https://build.opensuse.org/request/show/353835
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/roundcubemail?expand=0&rev=97
---
 roundcubemail-httpd.conf | 16 ++++++++++------
 roundcubemail.changes    |  7 ++++++-
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/roundcubemail-httpd.conf b/roundcubemail-httpd.conf
index a02b018..8cfd98f 100644
--- a/roundcubemail-httpd.conf
+++ b/roundcubemail-httpd.conf
@@ -48,6 +48,7 @@ AddType text/x-component .htc
         php_value       post_max_size                   6M
         php_value       memory_limit                    64M
 
+        php_flag        register_globals                Off
         php_flag        zlib.output_compression         Off
         php_flag        magic_quotes_gpc                Off
         php_flag        magic_quotes_runtime            Off
@@ -59,18 +60,21 @@ AddType text/x-component .htc
         php_value       session.gc_maxlifetime          21600
         php_value       session.gc_divisor              500
         php_value       session.gc_probability          1
-
-        # http://bugs.php.net/bug.php?id=30766
-        php_value       mbstring.func_overload          0
     </IfModule>
 
     <IfModule mod_rewrite.c>
         RewriteEngine On
         RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
+
+        # security rules:
+        # - deny access to files not containing a dot or starting with a dot
+        #   in all locations except installer directory
+        RewriteRule ^(?!installer|\.well-known\/|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
+        # - deny access to some locations
+        RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+        # - deny access to some documentation files
+        RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|Dockerfile)$ - [F]
         # security rules
-        RewriteRule .git - [F]
-        RewriteRule ^/?(README(.md)?|INSTALL|LICENSE|SQL|bin|CHANGELOG)$ - [F]
-        RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
     </IfModule>
 
     <IfModule mod_deflate.c>
diff --git a/roundcubemail.changes b/roundcubemail.changes
index a281862..91068a5 100644
--- a/roundcubemail.changes
+++ b/roundcubemail.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jan 15 11:57:10 UTC 2016 - aj@ajaissle.de
+
+- Changed apache2 config
+
 -------------------------------------------------------------------
 Thu Dec 31 10:42:03 UTC 2015 - lars@linux-schulserver.de
 
@@ -20,7 +25,7 @@ Thu Dec 31 10:42:03 UTC 2015 - lars@linux-schulserver.de
     Fix regression in displaying contents of message/rfc822 parts (#1490606)
     Fix handling of message/rfc822 attachments on replies and forwards (#1490607)
     Fix PDF support detection in Firefox > 19 (#1490610)
-    Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620)
+    Fix path traversal vulnerability (CWE-22) in setting a skin (#1490620) [CVE-2015-8770] [bnc#962067]
     Fix so drag-n-drop of text (e.g. recipient addresses) on compose page actually works (#1490619) 
 
 - explicitely add required PHP packages (according to INSTALL):