MAGETWO-71156: [Backport for 2.1.x] Magento 2.x default configuration leaks custom PHP settings via .user.ini

Author: svitja

.htaccess

@@ -114,6 +114,15 @@ DirectoryIndex index.php
         order allow,deny
         deny from all
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 ErrorDocument 404 /pub/errors/404.php
 ErrorDocument 403 /pub/errors/404.php
 <IfModule mod_headers.c>

.htaccess.sample

@@ -278,6 +278,15 @@ DirectoryIndex index.php
         order allow,deny
         deny from all
     </Files>
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

nginx.conf.sample

@@ -33,6 +33,11 @@ charset UTF-8;
 error_page 404 403 = /errors/404.php;
 #add_header "X-UA-Compatible" "IE=Edge";
 
+# Deny access to sensitive files
+location /.user.ini {
+    deny all;
+}
+
 # PHP entry point for setup application
 location ~* ^/setup($|/) {
     root $MAGE_ROOT;

pub/.htaccess

@@ -210,6 +210,18 @@ ErrorDocument 403 /errors/404.php
         deny from all
     </Files>
 
+###########################################
+## Deny access  to .user.ini
+    <Files .user.ini>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
+
 <IfModule mod_headers.c>
     ############################################
     ## Prevent clickjacking