Merge pull request #3589 from magento-tsg/2.2.8-develop-pr67

xmav · web-flow · commit 8dcc1b4a9f25 · 2019-01-11T13:43:00.000+02:00
[TSG] Backporting for 2.2 (pr67) (2.2.8-develop)
diff --git a/.htaccess b/.htaccess
@@ -364,6 +364,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php
diff --git a/.htaccess.sample b/.htaccess.sample
@@ -341,6 +341,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php
diff --git a/app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php b/app/code/Magento/AdminNotification/Block/Grid/Renderer/Actions.php
@@ -8,6 +8,9 @@
 
 namespace Magento\AdminNotification\Block\Grid\Renderer;
 
+/**
+ * Renderer class for action in the admin notifications grid.
+ */
 class Actions extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer
 {
     /**
diff --git a/nginx.conf.sample b/nginx.conf.sample
@@ -33,6 +33,11 @@ charset UTF-8;
 error_page 404 403 = /errors/404.php;
 #add_header "X-UA-Compatible" "IE=Edge";
 
+# Deny access to sensitive files
+location /.user.ini {
+    deny all;
+}
+
 # PHP entry point for setup application
 location ~* ^/setup($|/) {
     root $MAGE_ROOT;
diff --git a/pub/.htaccess b/pub/.htaccess
@@ -220,6 +220,16 @@ ErrorDocument 403 /errors/404.php
             Require all denied
         </IfVersion>
     </Files>
+## Deny access  to .user.ini##
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 <IfModule mod_headers.c>
     ############################################

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,9 @@`
`8`	`8`
`9`	`9`	`namespace Magento\AdminNotification\Block\Grid\Renderer;`
`10`	`10`
	`11`	`+/**`
	`12`	`+ * Renderer class for action in the admin notifications grid.`
	`13`	`+ */`
`11`	`14`	`class Actions extends \Magento\Backend\Block\Widget\Grid\Column\Renderer\AbstractRenderer`
`12`	`15`	`{`
`13`	`16`	`/**`