From ded453cdc41328e111a4431e93d042dbaaff388b Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Tue, 22 Dec 2015 13:21:22 +0100
Subject: [PATCH] Fix .htaccess rewrite rules to not block .well-known URIs
 (#1490615)

Conflicts:

	.htaccess
	CHANGELOG
---
 .htaccess | 2 +-
 CHANGELOG | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/.htaccess b/.htaccess
index 95e5bf475..6f1d13d1d 100644
--- a/.htaccess
+++ b/.htaccess
@@ -31,7 +31,7 @@ RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico
 # security rules:
 # - deny access to files not containing a dot or starting with a dot
 #   in all locations except installer directory
-RewriteRule ^(?!installer|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
+RewriteRule ^(?!installer|\.well-known\/|[a-f0-9]{16})(\.?[^\.]+)$ - [F]
 # - deny access to some locations
 RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
 # - deny access to some documentation files
diff --git a/CHANGELOG b/CHANGELOG
index 207482193..3f7cbd961 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@ CHANGELOG Roundcube Webmail
 - Fix so Installer requires PHP5
 - Make brute force attacks harder by re-generating security token on every failed login (#1490549)
 - Slow down brute-force attacks by waiting for a second after failed login (#1490549)
+- Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
 - Fix so database_attachments::cleanup() does not remove attachments from other sessions (#1490542)
 - Fix responses list update issue after response name change (#1490555)
 - Fix bug where message preview was unintentionally reset on check-recent action (#1490563)