From ee5b4f0d56fb565aac4ef50e8cd6d0dd8ae45084 Mon Sep 17 00:00:00 2001
From: Daniel Rudolf <github.com@daniel-rudolf.de>
Date: Wed, 27 Apr 2016 21:02:20 +0200
Subject: [PATCH] .htaccess: Deny access to CHANGELOG.md, composer.json,
 composer.lock

See discussion in #343
---
 .htaccess    | 3 ++-
 CHANGELOG.md | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.htaccess b/.htaccess
index 9e7ac73..5851794 100644
--- a/.htaccess
+++ b/.htaccess
@@ -5,7 +5,8 @@
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule ^(.*)$ index.php?$1 [L,QSA]
-    RewriteRule ^(.git|config|content|content-sample|lib|vendor)/.*$ index.php?$0 [L,QSA]
+    RewriteRule ^(\.git|config|content|content-sample|lib|vendor)(/.*)?$ index.php?$0 [L,QSA]
+    RewriteRule ^(CHANGELOG.md|composer.(json|lock)) index.php?404 [L]
 
     <IfModule mod_env.c>
         SetEnv PICO_URL_REWRITING 1
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c478c4..de61437 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,8 @@ Released: -
 * [Changed] Improve documentation
 * [Changed] Add CSS rules for definition lists to default theme
 * [Changed] Always use `on404Content...` execution path when serving a `404.md`
-* [Changed] Deny access to `.git` directory (`.htaccess` file)
+* [Changed] Deny access to `.git` directory, `CHANGELOG.md`, `composer.json`
+            and `composer.lock` (`.htaccess` file)
 * [Changed] Use Pico's `404.md` to deny access to `.git`, `config`, `content`,
 *           `content-sample`, `lib` and `vendor` dirs (`.htaccess` file)
 * [Fixed] #342: Fix responsiveness in default theme