MAGETWO-71157: Servers Configurations Needs Update

OlgaVasyltsun · OlgaVasyltsun · commit 4daa54d98229 · 2018-09-06T14:48:16.000+03:00
diff --git a/.htaccess b/.htaccess
@@ -364,6 +364,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php
diff --git a/.htaccess.sample b/.htaccess.sample
@@ -341,6 +341,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php
diff --git a/nginx.conf.sample b/nginx.conf.sample
@@ -33,6 +33,11 @@ charset UTF-8;
 error_page 404 403 = /errors/404.php;
 #add_header "X-UA-Compatible" "IE=Edge";
 
+# Deny access to sensitive files
+location /.user.ini {
+    deny all;
+}
+
 # PHP entry point for setup application
 location ~* ^/setup($|/) {
     root $MAGE_ROOT;
diff --git a/pub/.htaccess b/pub/.htaccess
@@ -220,6 +220,16 @@ ErrorDocument 403 /errors/404.php
             Require all denied
         </IfVersion>
     </Files>
+## Deny access  to .user.ini##
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 <IfModule mod_headers.c>
     ############################################
