Textpattern CMS

#1 2020-08-17 09:06:41

gomedia

Plugin Author

Registered: 2008-06-01

Posts: 1,373

Distributing .htaccess

Spotted a missing .htaccess file the other day and after hacking around I ended up disappearing down a rabbit hole. I’m hoping someone can provide some clarity.

Going through old Textpattern distributions (*.zip), there seems to be some variations in the provision of the .htaccess file. This is what (I think) has been supplied in the past:

TXP 4.6: .htaccess, textpattern/.htaccess, files/.htaccess-dist
TXP 4.7: .htaccess, files/.htaccess-dist, themes/.htaccess
TXP 4.8: .htaccess, textpattern/.htaccess, files/.htaccess, themes/.htaccess

Observations:

• .htaccess in root has been a constant presence
• files/.htaccess provided by default in 4.8 (as opposed to a serving suggestion in previous releases) and seems to have always been for inhibiting listings and direct downloads
• themes/.htaccess looks like a new regular, and again is for inhibiting listings and direct downloads
• textpattern/.htaccess changed from a “Content-Security-Policy” thing in 4.6 to a directory listing block in 4.8

Queries:

• What happened with textpattern/.htaccess? It went out of favour in 4.7 and was completely different on its return in 4.8.
• Should images have its own .htaccess to stop snooping?
• Could the 4.8 combo be backdated onto a 4.7 site to boost the security fence?

Thanks in advance as always.

#2 2020-08-17 16:41:39

neptho

Member

From: A cold, dark place.

Registered: 2006-02-01

Posts: 48

Re: Distributing .htaccess

I’m pretty sure all of this mulling about is because most of us end up editing our own .htaccess for our needs, and TXP didn’t want to destroy that.

files/ is a nice idea, and I think we all need to pay more attention when we upgrade – I almost did a whoopsie from 4.8.0 to 4.8.2 because I was ready to do a directory blast ™ tarball, and then saw a couple things I would have broken from my legacy code circa 2003.

#3 2020-08-17 20:46:26

Bloke

Developer

From: Leeds, UK

Registered: 2006-01-29

Posts: 11,430

Website GitHub

Re: Distributing .htaccess

Honestly I don’t know what happened to textpattern/.htaccess in 4.7. It should have been there and I don’t recall removing it. Nor do I recall why the one in /files changed from a -dist to an actual, but there was probably a reason buried in the commit history or GitHub issues.

End of the day, nothing to stop you changing them or copying and pasting to backport. Besides the root and the one in /textpattern, we probably should only be suggesting examples so we don’t inadvertently blat peoples customizations on upgrade.

In 4.9, your CSP rules can be set at the config.php level so stuff in the .htaccess can focus on extra peace of mind at keeping script kiddies out.

---

The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

#4 2020-08-18 01:37:45

gomedia

Plugin Author

Registered: 2008-06-01

Posts: 1,373

Re: Distributing .htaccess

Had a play with .htaccess in /images:

• inhibiting directory listing (Options -Indexes) doesn’t seem to have any untoward effects on the admin or public side of the website
• inhibiting direct file downloads (RedirectMatch 403 .*) prevents the display of the image & its thumbnail in Image Edit tab