From cd998bdd4f5b72f7bee91898d9351919273516ba Mon Sep 17 00:00:00 2001
From: mollux <mattias.michaux@dropsolid.com>
Date: Mon, 28 Feb 2022 22:06:24 +0100
Subject: [PATCH] Merge pull request from GHSA-mj6m-246h-9w56

* only allow access to specific PHP files in their specific location

* same change is needed in .htaccess file scaffolded in mautic/core-lib

* improved wording in comments

Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com>

* loosened regex to allow index_dev.php requests

Co-authored-by: Ruth Cheesley <ruth.cheesley@acquia.com>
---
 .htaccess                          | 12 ++++++------
 app/assets/scaffold/files/htaccess | 13 ++++++-------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/.htaccess b/.htaccess
index 4a0d9e8977b..a1ad665eed0 100644
--- a/.htaccess
+++ b/.htaccess
@@ -109,10 +109,10 @@
         Require all denied
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Require all granted
-    </FilesMatch>
+    </If>
 </IfModule>
 
 # Fallback for Apache < 2.4
@@ -129,10 +129,10 @@
         Deny from all
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Order allow,deny
         Allow from all
-    </FilesMatch>
+    </If>
 </IfModule>
 
diff --git a/app/assets/scaffold/files/htaccess b/app/assets/scaffold/files/htaccess
index 4a0d9e8977b..018999d3ff3 100644
--- a/app/assets/scaffold/files/htaccess
+++ b/app/assets/scaffold/files/htaccess
@@ -109,10 +109,10 @@
         Require all denied
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Require all granted
-    </FilesMatch>
+    </If>
 </IfModule>
 
 # Fallback for Apache < 2.4
@@ -129,10 +129,9 @@
         Deny from all
     </FilesMatch>
 
-    # Except those whitelisted bellow.
-    <FilesMatch "^(index|index_dev|filemanager|upgrade)\.php$">
+    # Except those allowed below.
+    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
         Order allow,deny
         Allow from all
-    </FilesMatch>
+    </If>
 </IfModule>
-