HTML5 Boilerplate htaccess file code

Home Forums BulletProof Security Pro HTML5 Boilerplate htaccess file code

This topic contains 4 replies, has 2 voices, and was last updated by  AITpro Admin 3 years, 7 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #19329

    Max
    Participant

    Hi,

    I have a couple Qs about a bit of code from the html5 boilerplate, namely from the ‘File Access’ section:

    <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">
    
    # Apache < 2.3
    <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    Satisfy All
    </IfModule>
    
    # Apache ≥ 2.3
    <IfModule mod_authz_core.c>
    Require all denied
    </IfModule>
    
    </FilesMatch>

    https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

    I have seen this code used in adaptations of the html5b htaccess for WP, for instance

    ### Block access to source files
    <FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
    Order allow,deny
    Deny from all
    Satisfy All
    </FilesMatch>

    https://github.com/Creare/WP-htaccess/blob/master/.htaccess

    My primary Q is: does BPSpro already protect these files, if so how?
    Secondary Q: I have been studying .htaccess/mod_rewrite/regex and am not sure what to make of the ‘#’ symbols as used in the code (unless they are meant as literal character tokens)?

    (^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)

    also, if the ‘~’ tilde symbol is meant to be something other than a literal character token, then I also do not understand that ‘~’ 🙂

    I am also interested in your opinion of the ‘Reflected Cross-Site Scripting (XSS) attacks’ code in the html5 boilerplater htaccess? Finally, if any of above referenced code looks sensible to you in general sense… guidance on which ‘custom code’ box to use?

    Thanks for your time 🙂
    Kind Regards, Max

    #19331

    Max
    Participant

    update: I should note, I am on apache 2.2.23 so I was looking at the html5 boilerplate rules for < 2.3

    Cheers, Max

    #19334

    AITpro Admin
    Keymaster

    The Plugin Firewall protects all of this file types in the /plugins/ folder from being publicly accessible:

    7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|txt|vb|vbe|vbs|war|ws|wsf|xhtml|z|zip

    The BPS Root htaccess file specifically protects these files from being publicly accessible: wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php
    The BPS wp-admin htaccess file specifically protects these files from being publicly accessible install\.php

    For WordPress sites typically you only need to protect .php files since most WordPress files are .php files. You can of course add any other file types that you have in your website folders.

    ^#.*#

    I am not sure what that code above is intended to mean, but in the example it is going to mean “comment everything out” to the right of the leftmost pound sign. I don’t think that is what was intended in that code. Or in other words, that code is probably incorrect/invalid. In RegEx code you can use the # signs as delimiters (boundaries), but that does not work in htaccess code.  To parse a # sign you need to use the [NE,L] flag. Instead of escaping the # sign the url encoded equivalent should be used \%23.

    The tilde has no special meaning that I am aware of in htaccess code so in that code it would be interpreted literally as a tilde.

    No opinion on the Reflected XSS code.  Sounds like a good idea, but I have not looked at the code or tested it so I would not be able to offer any suggestions or an opinion.  If I have some spare time in a few days I will look over the code.

    You would add any/all of this custom htaccess code to this Root Custom Code text box:   and do the Custom Code setup steps which you will find in the Custom Code Read Me help button.

    #19335

    Max
    Participant

    Thanks for you rapid response!

    “I am not sure what that code above is intended to mean, but in the example it is going to mean “comment everything out” to the right of the leftmost pound sign. I don’t think that is what was intended in that code. Or in other words, that code is probably incorrect/invalid. In RegEx code you can use the # signs as boundaries, but that does not work in htaccess code.  To parse a # sign you need to use the [NE,L] flag. Instead of escaping the # sign the url encoded equivalent should be used \%23

    That is exactly what I thought, except I was not confident in being correct! How can such a popular framework as html5 bolierplate be using broken htaccess regex?

    I am confounded! I did my best to look through J.Friedl’s ‘Mastering Regular Expressions’ and am at this point always rereading R.Bowen’s ‘Difinitive Guide to Apache mod_rewrite’ and found no explanation for the use of the ‘#’ characters in above code in any way that would not break site/be weird…

    so, I imagined that that they were either meant to be a) literal characters, then they need to be treated as you say or b) they were used to represent places where one is expected to supply appropriate values…

    I figured that BPSpro was probably blocking access to these files already 🙂
    I am trying though to learn the wheres and hows, so your explanations are totally appreciated!
    Regarding the  ‘Reflected Cross-Site Scripting (XSS) attacks’ code in the html5 boilerplate… for ease of reference here is taken from

    https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
    Header unset X-XSS-Protection
    </FilesMatch>
    </IfModule>

    Kind Regards, Max

    #19340

    AITpro Admin
    Keymaster

    Oh yeah you are probably right about the intention being literally a #match anything# pattern, but it is not valid since # signs in htaccess code mean comment something out.  My RegEx brain kicked in and saw delimiters (boundaries) since # signs are frequently used in php code RegEx patterns as delimiters (boundaries).

    That code would ONLY work on IE8+ and Chrome (some versions) Browser versions.
    https://www.owasp.org/index.php/List_of_useful_HTTP_headers

    Header set X-XSS-Protection "1; mode=block"

    These bits of htaccess code are pending testing. We are locked in for tasks for BPS Pro 9.9 so testing these bits of code will have to wait, but feel free to experiment with them.

    # Don't allow pages to be framed externally - Defends against CSRF
    Header append X-FRAME-OPTIONS "SAMEORIGIN"
    
    # Only allow JavaScript from the same domain to be run.
    # Don't allow inline JavaScript to run.
    Header set X-Content-Security-Policy "allow 'self';"
    
    # Prevent mime based attacks
    Header set X-Content-Type-Options "nosniff"
    
    # Control Cross-Domain Policies
    Header set X-Permitted-Cross-Domain-Policies "master-only"
Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.