[Mediawiki-l] MediaWiki security release 1.16.3
Brian J Mingus
brian.mingus at Colorado.EDU
Thu Apr 14 07:38:51 UTC 2011
On Thu, Apr 14, 2011 at 1:29 AM, Gordon Joly <gordon.joly at pobox.com> wrote:
> On 12/04/2011 04:23, Tim Starling wrote:
> >
> > To fix this issue, configure your web server to deny requests with
> > URLs that have a path part ending in a dot followed by a dangerous
> > file extension. For example, in Apache with mod_rewrite:
> >
> > RewriteEngine On
> > RewriteCond %{QUERY_STRING} \.[a-z]{1,4}$ [nocase]
> > RewriteRule . - [forbidden]
> I see that this snippet is to be found in ".htaccess" file inside
> ./images/ (this appears to be new file 1.16.3)
>
> Could the ".htaccess" be placed at top level (that is one above ./images/)?
>
> Since the file is there, is there any need to change the web server
> configuration?
>
> Gordo
>
>
For starters, apache must be configured to parse .htaccess files.
--
Brian Mingus
Graduate student
Computational Cognitive Neuroscience Lab
University of Colorado at Boulder
More information about the MediaWiki-l
mailing list