Return-Path: 
 <users-return-109713-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-users-archive@www.apache.org
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 8257F11E56
	for <apmail-httpd-users-archive@www.apache.org>;
 Fri, 25 Jul 2014 04:33:50 +0000 (UTC)
Received: (qmail 66580 invoked by uid 500); 25 Jul 2014 04:33:41 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 66561 invoked by uid 500); 25 Jul 2014 04:33:41 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 66551 invoked by uid 99); 25 Jul 2014 04:33:40 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jul 2014 04:33:40 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of nick.z.edwards@gmail.com
 designates 209.85.212.175 as permitted sender)
Received: from [209.85.212.175] (HELO mail-wi0-f175.google.com)
 (209.85.212.175)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 25 Jul 2014 04:33:37 +0000
Received: by mail-wi0-f175.google.com with SMTP id ho1so308055wib.14
        for <users@httpd.apache.org>; Thu, 24 Jul 2014 21:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=XJNn++CjwAg5dtjpzcTwtaA/++S19dlllqB/O7tQo1s=;
        b=ASJ1jsh/Apb2Ks25zA/e+YJZ80HLEJwlAsWSbMctCgVLnvAtwn5Il+xehOUd1U0HUm
         L8+I7QAYqMkfAMZjiosLhNZm743vL+7prU60BsqtASLjbIPazKp3nNLpKcQc47/4akR/
         DK2w0kedspfW6xWItRhkOxYx7pP/FKSRZhTgpSqts+BBYsgMiVWI1T7EEMrdKx06TVqw
         B/ZjGOd9ct+6ZxwtvV94z6Yy6KwY5A8Q7aZCryEXVlPuVNQOEhcjiLCksV89zQ5+Jd1G
         mkdjYWPYbTyssC6HTTdRtBugwRaKgtsyZ0zDewRfstx+Q9yz1O69MOtxNwS1kB99Wh3A
         7pGg==
MIME-Version: 1.0
X-Received: by 10.194.79.135 with SMTP id j7mr18612056wjx.56.1406262793272;
 Thu, 24 Jul 2014 21:33:13 -0700 (PDT)
Received: by 10.216.32.66 with HTTP; Thu, 24 Jul 2014 21:33:13 -0700 (PDT)
Date: Fri, 25 Jul 2014 14:33:13 +1000
Message-ID: 
 <CAMD-=VLEk4OWBD5=SOK-PxCSfjS4X1TLHM_FuVujOmi2nVOf5g@mail.gmail.com>
From: Nick Edwards <nick.z.edwards@gmail.com>
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: [users@httpd] rewrite rule problem

Howdy,
I've sent this to the roundcube list few days ago, no-one replied so ,
since its also apache related, I'll ask here.

<paste of message>

Trying to understand the new "security" rules in .htaccess

 - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory

RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]

This doesn't quite make sense, we have a help/ directory, which is not
accessible because of this rule yet all files in that directory are
foo.img or index.php, bar.php

change to

RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F]
permits our help/ directory to be read, this is sub optimum because it
will be overwrite at next update again, does someone with good
knowledge of rewrite rules able to shed some light on this?

<end paste>
So are roundcube folk doing it wrong?

The entire rewrite rule section is (although my problem is fixed by
only the above line, but in case there is a relation I'll include the
full bit here:

RewriteEngine On
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico

# security rules:
# - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory
#RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]                 <---
this does NOT work
RewriteRule ^(?!(installer|help))(\.?[^\.]+)$ - [F]         <--- this works

# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps))
- [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$
- [F]


Thanks.
Nik

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org