TALK: Whitelist allowed files/directories accessed through apache inside the dolibarr container

[JonBendtsen]

Hey

Let's whitelist allowed files accessed through apache inside the dolibarr container

Denied:

• conf/
• langs/
• conf.php
• .git
• .gitignore
• *.lang
• *.xml
• *.odt ?
• *.otf ?
• *.yml
• *.sql
• *.txt
• *.md

Allowed:

• almost *.php
• *.png?
• *.jpg
• *.gif
• *.ico
• *.css
• *.js
• *.zvg
• *.svg
• *.html
• *.webp
• *.ttf

Preferably this is done both in apache configuration and in a .htaccess file - for security, and I don't think that the .htaccess files will impact performance too much - because how much load is there on a CRM?

[cibero42]

Hey @JonBendtsen ,

.odt shouldn't be denied, as people can store documents on this format - actually, denying any extension related to Office/LibreOffice suites will cause generalized problems.

[JonBendtsen]

Hey @JonBendtsen ,

.odt shouldn't be denied, as people can store documents on this format - actually, denying any extension related to Office/LibreOffice suites will cause generalized problems.

yeah maybe. My thoughts are that we could

1. especially allow it at those url locations where they should be allowed to be shared
2. hmm, maybe we are not even serving those kinds of files directly through apache, but rather through PHP, because when I look at a link to a PDF in Dolibarr, I get an url that looks like this:

/document.php?modulepart=facture&file=IN2503-0608%2FIN2503-0608.pdf&entity=1

so if 2 is true, then I don't think a FilesMatch in apache that denies a .pdf would get triggered

[cibero42]

But Apache would deny it anyway, no? Since everything passes through it

[JonBendtsen]

But Apache would deny it anyway, no? Since everything passes through it

No, because PHP handles it.

[cibero42]

Uh, perhaps you can test it?

I think that we can use the file manager to test that

[JonBendtsen]

We have to test it, and we should build some auto-magic system that can be used for testing