Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)

.htaccess

@@ -27,26 +27,16 @@ php_value	session.gc_probability	1
 RewriteEngine On
 RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
 
-# security rules
-RewriteRule ^/?(\.git|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
-RewriteRule /?(README(.md)?|composer\.json-dist|composer\.json|package\.xml)$ - [F]
+# security rules:
+# - deny access to files not containing a dot or starting with a dot
+#   in all locations except installer directory
+RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
+# - deny access to some locations
+RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
+# - deny access to some documentation files
+RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
 </IfModule>
 
-# deny access to all files not containing a "." (dot)
-# to block access to different README, Changelog, INSTALL, etc.
-# files of various skins and plugins.
-<FilesMatch "^[^\.]+$">
-    # Apache 2.4
-    <IfModule mod_authz_core.c>
-        Require all denied
-    </IfModule>
-    # Apache 2.2
-    <IfModule !mod_authz_core.c>
-        Order Allow,Deny
-        Deny from all
-    </IfModule>
-</FilesMatch>
-
 <IfModule mod_deflate.c>
 SetOutputFilter DEFLATE
 </IfModule>

CHANGELOG

@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)
 - Fix regression where only first new folder was placed in correct place on the list (#1489472)
 - Fix issue where children of selected and collapsed thread were skipped on various actions (#1489457)
 - Fix issue where groups were not deleted when "Replace entire addressbook" option on contacts import was used (#1489420)