git files not blocked by htaccess rules

  • The last section of .htaccess rules generated by BWPS has a rule that should block access to Git files, but it’s not working for me. I can open https://example.com/.gitignore or https://example.com/.git/config in my browser and see the contents of the files.

    RewriteCond %{QUERY_STRING} ^.*(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    I tried the updated rule from trunk, and it doesn’t block them either.

    RewriteCond %{QUERY_STRING} ^.*\.(bash|git|hg|log|svn|swp|cvs) [NC,OR]

    https://www.ads-software.com/extend/plugins/better-wp-security/

Viewing 2 replies - 1 through 2 (of 2 total)

  • You can block all hidden files like so:

    RewriteRule ^\..+$ - [F]

    or

    RewriteRule ^\. - [F]

    NOTE: By hidden files I mean all files that begin with a literal period.

    Thread Starter Ian Dunn

    (@iandunn)

    I know, I’ve got an extra rule setup to block Git files, but I wanted to let BWPS’s developer know that there’s a bug so he can fix it. A lot of people will assume that Git/SVN/logs/etc are being blocked because BWPS claims to be doing it, and so they won’t setup their own rules and they’ll be vulnerable.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘git files not blocked by htaccess rules’ is closed to new replies.