diff --git a/.htaccess b/.htaccess index 686df7ba8..4d951c88b 100644 --- a/.htaccess +++ b/.htaccess @@ -30,6 +30,8 @@ RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico RewriteRule ^(?!installer|\.well-known\/|[a-zA-Z0-9]{16})(\.?[^\.]+)$ - [F] # - deny access to some locations RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F] +# - deny access to composer binaries +RewriteRule ^/vendor\/bin\/.* - [F] # - deny access to some documentation files RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml|jsdeps.json|Dockerfile)$ - [F] diff --git a/CHANGELOG b/CHANGELOG index d70fe13bd..c13ca6b5a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -14,6 +14,7 @@ CHANGELOG Roundcube Webmail - Fix bug where signature couldn't be added above the quote in Firefox 51 (#5628) - Fix regression where groups with email address were resolved to its members' addresses - Fix update of group name in the contacts list header on group rename (#5648) +- Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630) RELEASE 1.3-beta ----------------