Version 1.4.2 Fix htaccess for pages with name like system folders

2020-11-25 10:36:41 +01:00 · 2020-11-25 10:36:41 +01:00 · 7198b80d4b
commit 7198b80d4b
parent 5a20be8322
2 changed files with 50 additions and 20 deletions
--- a/.htaccess
+++ b/.htaccess
@ -1,3 +1,5 @@
+<IfModule mod_rewrite.c>
+
 RewriteEngine On

 # If your homepage is http://yourdomain.com/yoursite
@ -7,27 +9,14 @@ RewriteEngine On
 # In some environements, an empty RewriteBase is required:
 # RewriteBase /

-# Protect your system files from prying eyes
-RewriteRule ^(system\/author\/) - [L]
-RewriteRule ^(system) - [F,L]
-RewriteRule ^(data) - [F,L]
-RewriteRule ^(content) - [F,L]
-RewriteRule ^(settings) - [F,L]
-RewriteRule ^(.*)?\.yml$ - [F,L]
-Rewriterule ^(.*)?\.yaml$ - [F,L]
-RewriteRule ^(.*)?\.txt$ - [F,L]
-RewriteRule ^(.*)?\.example$ - [F,L]
-RewriteRule ^(.*/)?\.git+ - [F,L]
-
 # Use this to redirect HTTP to HTTPS on apache servers
 # RewriteCond %{HTTPS} off
 # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

 # Use this to redirect www to non-wwww on apache servers
-# RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

-# Use this to redirect slash/ to no slash urls on apache servers
+# Use this to redirect slash/ to url without slash on apache servers
 # RewriteCond %{REQUEST_FILENAME} !-d
 # RewriteRule ^(.*)/$ /$1 [R=301,L]

@ -35,8 +24,48 @@ RewriteRule ^(.*/)?\.git+ - [F,L]
 RewriteCond %{THE_REQUEST} ^GET.*index\.php [NC]
 RewriteRule (.*?)index\.php/*(.*) /$1$2 [R=301,NE,L]

-# Directs all web requests through the site index file
+# REWRITE TO INDEX
+
+# If the requested path and file not /index.php
 RewriteCond %{REQUEST_URI} !^/index\.php
+
+# if requested doesn't match a physical file
 RewriteCond %{REQUEST_FILENAME} !-f
+
+# if requested doesn't match a physical folder
 RewriteCond %{REQUEST_FILENAME} !-d
-RewriteRule ^ index.php [QSA,L]
+
+# then rewrite the request to the index.php script
+RewriteRule ^ index.php [QSA,L]
+
+
+# FILE/FOLDER PROTECTION
+
+# Deny access to these file types generally
+RewriteRule ^(.*)?\.yml$ - [F,L]
+Rewriterule ^(.*)?\.yaml$ - [F,L]
+RewriteRule ^(.*)?\.txt$ - [F,L]
+RewriteRule ^(.*)?\.example$ - [F,L]
+RewriteRule ^(.*/)?\.git+ - [F,L]
+RewriteRule ^(.*/)?\.md - [F,L]
+RewriteRule ^(.*/)?\.php - [F,L]
+RewriteRule ^(.*/)?\.twig - [F,L]
+
+# Block access to specific files in the root folder
+RewriteRule ^(licence\.md|readme\.md|composer\.lock|composer\.json|\.htaccess)$ error [F,L]
+
+# block files and folders starting with a dot except for the .well-known folder (Let's Encrypt)
+RewriteRule (^|/)\.(?!well-known\/) index.php [L]
+
+# Allow access to frontend files in author folder
+RewriteRule ^(system\/author\/css\/) - [L]
+RewriteRule ^(system\/author\/img\/) - [L]
+RewriteRule ^(system\/author\/js\/) - [L]
+
+# redirect all other direct requests to the following physical folders to the index.php so pages with same name work
+RewriteRule ^(system|content|data|settings) index.php [QSA,L]
+
+# disallow browsing other folders generally
+Options -Indexes
+
+</IfModule>
--- a/system/Controllers/PageController.php
+++ b/system/Controllers/PageController.php
@ -23,7 +23,8 @@ use Typemill\Extensions\ParsedownExtension;
 class PageController extends Controller
 {
 	public function index($request, $response, $args)
-	{
+	{	
+
 		/* Initiate Variables */
 		$structure		= false;
 		$contentHTML	= false;
@ -115,9 +116,9 @@ class PageController extends Controller
 		}
 		else
 		{
-			# get the request url
-			$urlRel = $uri->getBasePath() . '/' . $args['params'];
-			
+			# get the request url, trim args so physical folders have no trailing slash
+			$urlRel = $uri->getBasePath() . '/' . trim($args['params'], "/");
+
 			# find the url in the content-item-tree and return the item-object for the file
 			# important to use the structure here so it is found, even if the item is hidden.
 			$item = Folder::getItemForUrl($structure, $urlRel, $uri->getBasePath());