Merge branch 'MAGETWO-40265-exposed-resources' into develop

Author: Dale Sikkema

.gitignore

@@ -47,3 +47,4 @@ atlassian*
 /var/*
 !/var/.htaccess
 /vendor
+!/vendor/.htaccess

.htaccess

@@ -171,13 +171,83 @@
 </IfModule>
 
 ###########################################
-## Deny access to release notes to prevent disclosure of the installed Magento version
+## Deny access to root files to hide sensitive application information
+    RedirectMatch 404 /\.git
 
-    <Files RELEASE_NOTES.txt>
-        Order allow,deny
-        Deny from all
+    <Files composer.json>
+        order allow,deny
+        deny from all
     </Files>
-############################################
+    <Files composer.lock>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .gitignore>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .htaccess>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .htaccess.sample>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .php_cs>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .travis.yml>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files CHANGELOG.md>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files CONTRIBUTING.md>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files CONTRIBUTOR_LICENSE_AGREEMENT.html>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files COPYING.txt>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files Gruntfile.js>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files LICENSE.txt>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files LICENSE_AFL.txt>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files nginx.conf.sample>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files package.json>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files php.ini.sample>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files README.md>
+        order allow,deny
+        deny from all
+    </Files>
+
+################################
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags
 

.htaccess.sample

@@ -36,7 +36,7 @@
 ############################################
 ## adjust memory limit
 
-    php_value memory_limit 256M
+    php_value memory_limit 768M
     php_value max_execution_time 18000
 
 ############################################
@@ -65,13 +65,6 @@
     SecFilterScanPOST Off
 </IfModule>
 
-<IfModule mod_headers.c>
-############################################
-## prevent clickjacking
-
-    Header set X-Frame-Options SAMEORIGIN
-</IfModule>
-
 <IfModule mod_deflate.c>
 
 ############################################
@@ -136,9 +129,11 @@
     RewriteRule .* - [L,R=405]
 
 ############################################
-## always send 404 on missing files in these folders
+## redirect for mobile user agents
 
-    RewriteCond %{REQUEST_URI} !^/pub/(media|js)/
+    #RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
+    #RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
+    #RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]
 
 ############################################
 ## never rewrite for existing files, directories and links
@@ -175,16 +170,84 @@
 </IfModule>
 
 ###########################################
-## Deny access to release notes to prevent disclosure of the installed Magento version
+## Deny access to root files to hide sensitive application information
+    RedirectMatch 404 /\.git
 
-    <Files RELEASE_NOTES.txt>
-        Order allow,deny
-        Deny from all
+    <Files composer.json>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files composer.lock>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .gitignore>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .htaccess>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .htaccess.sample>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .php_cs>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files .travis.yml>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files CHANGELOG.md>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files CONTRIBUTING.md>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files CONTRIBUTOR_LICENSE_AGREEMENT.html>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files COPYING.txt>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files Gruntfile.js>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files LICENSE.txt>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files LICENSE_AFL.txt>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files nginx.conf.sample>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files package.json>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files php.ini.sample>
+        order allow,deny
+        deny from all
+    </Files>
+    <Files README.md>
+        order allow,deny
+        deny from all
     </Files>
 
-############################################
+################################
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags
 
     #FileETag none
-

nginx.conf.sample

@@ -26,20 +26,42 @@ charset off;
 
 location /setup {
     root $MAGE_ROOT;
-
     location ~ ^/setup/index.php {
         fastcgi_pass   fastcgi_backend;
         fastcgi_index  index.php;
         fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
         include        fastcgi_params;
     }
+
+    location ~ /setup/(?!pub/). {
+        deny all;
+    }
+}
+
+location /update {
+    root $MAGE_ROOT;
+
+    location ~ /update/index.php {
+        fastcgi_pass   fastcgi_backend;
+        fastcgi_index  index.php;
+        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        include        fastcgi_params;
+    }
+
+    # deny everything but index.php
+    location ~ /update/(?!pub/). {
+        deny all;
+    }
 }
 
 location / {
     try_files $uri $uri/ /index.php?$args;
 }
 
 location /pub {
+    location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
+        deny all;
+    }
     alias $MAGE_ROOT/pub;
 }
 
@@ -70,6 +92,11 @@ location /static/ {
 
 location /media/ {
     try_files $uri $uri/ /get.php?$args;
+
+    location ~ ^/media/theme_customization/.*\.xml {
+        deny all;
+    }
+
     location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
         add_header Cache-Control "public";
         expires +1y;
@@ -90,15 +117,7 @@ location /media/downloadable/ {
     deny all;
 }
 
-location ~ /media/theme_customization/.*\.xml$ {
-    deny all;
-}
-
-location /errors/ {
-    try_files $uri =404;
-}
-
-location ~ ^/errors/.*\.(xml|phtml)$ {
+location /media/import/ {
     deny all;
 }
 

pub/errors/.htaccess

@@ -2,6 +2,3 @@ Options None
 <IfModule mod_rewrite.c>
     RewriteEngine Off
 </IfModule>
-<FilesMatch "\.(xml|phtml)$">
-    Deny from all
-</FilesMatch>

setup/config/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

setup/performance-toolkit/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

setup/src/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

setup/view/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

vendor/.htaccess

@@ -0,0 +1,2 @@
+Order allow,deny
+Deny from all