[ticket/security-181] Port .htaccess changes to other webserver types

SECURITY-181

3 files changed, 5 insertions, 2 deletions

diff --git a/phpBB/docs/lighttpd.sample.conf b/phpBB/docs/lighttpd.sample.conf
index 5b04122267..f5b509e002 100644
--- a/phpBB/docs/lighttpd.sample.conf
+++ b/phpBB/docs/lighttpd.sample.conf
@@ -37,7 +37,7 @@ $HTTP["host"] == "www.myforums.com" {
 	accesslog.filename		= "/var/log/lighttpd/access-www.myforums.com.log"
 	
 	# Deny access to internal phpbb files.	
-	$HTTP["url"] =~ "^/(config\.php|common\.php|includes|cache|files|store|images/avatars/upload)" {
+	$HTTP["url"] =~ "^/(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor)" {
 		url.access-deny = ( "" )
 	}
 
diff --git a/phpBB/docs/nginx.sample.conf b/phpBB/docs/nginx.sample.conf
index 2ead3552fd..bf33f4e73d 100644
--- a/phpBB/docs/nginx.sample.conf
+++ b/phpBB/docs/nginx.sample.conf
@@ -72,7 +72,7 @@ http {
         }
 
         # Deny access to internal phpbb files.
-        location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
+        location ~ /(config\.php|common\.php|cache|files|images/avatars/upload|includes|phpbb|store|vendor) {
             deny all;
             # deny was ignored before 0.8.40 for connections over IPv6.
             # Use internal directive to prohibit access on older versions.
diff --git a/phpBB/web.config b/phpBB/web.config
index 99a1fe6023..d0a3cb33fe 100644
--- a/phpBB/web.config
+++ b/phpBB/web.config
@@ -18,7 +18,10 @@
 				<hiddenSegments>
 					<add segment="cache" />
 					<add segment="files" />
+					<add segment="includes" />
+					<add segment="phpbb" />
 					<add segment="store" />
+					<add segment="vendor" />
 					<add segment="config.php" />
 					<add segment="common.php" />
 				</hiddenSegments>