WP File Manager (Pro) .htaccess defect
-
Hi,
Couldn’t find a Github source for this and/or a PR.
Your WP File Manager plugin, and probably the Pro verion as well, contains a defect. It writes a broken
.htaccessfile towp-content/uploads/wp-file-manager-pro/fm_backup/.From
file_folder_manager.phpsource, version 7.1.5, lines 75 – 86 write the .htaccess file:$myfile = $backup_dirname."/.htaccess"; if(!file_exists($myfile)){ $myfileHandle = @fopen($myfile, 'w+'); if(!is_bool($myfileHandle)){ $txt = '<FilesMatch "\.(zip|gz)$">'; $txt .= "\nOrder allow,deny\n"; $txt .= "Deny from all\n"; $txt .= "</Files>"; @fwrite($myfileHandle, $txt); @fclose($myfileHandle); } }There are two defects here:
- FilesMatch and Files don’t match. The latter must be FilesMatch too or start and end sections don’t belong to each other.
Order allow,denydoesn’t work on Apache 2.4.6+ (1). This must be wrapped in an IfModule statement.
(1) For an optimal .htaccess, rewrite FilesMatch to:
<FilesMatch "\.(zip|gz)$"> # Apache 2.2 <IfModule !mod_authz_core.c> Order Deny,Allow Deny from all </IfModule> # Apache 2.4.6+ <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch>Taken from https://www.saotn.org/wordpress-htaccess-security-best-practices-apache-24/
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘WP File Manager (Pro) .htaccess defect’ is closed to new replies.
