Merge branch '3.3.x'

marc1706 · marc1706 · commit 376fc13da147 · 2025-12-29T17:08:01.000+01:00
diff --git a/phpBB/.htaccess b/phpBB/.htaccess
@@ -60,6 +60,14 @@ RewriteRule ^(.*)$ app.php [QSA,L]
 			Order Allow,Deny
 			Deny from All
 		</Files>
+		<Files "composer.json">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+		<Files "composer.lock">
+			Order Allow,Deny
+			Deny from All
+		</Files>
 	</IfVersion>
 	<IfVersion >= 2.4>
 		<Files "config.php">
@@ -68,6 +76,12 @@ RewriteRule ^(.*)$ app.php [QSA,L]
 		<Files "common.php">
 			Require all denied
 		</Files>
+		<Files "composer.json">
+			Require all denied
+		</Files>
+		<Files "composer.lock">
+			Require all denied
+		</Files>
 	</IfVersion>
 </IfModule>
 <IfModule !mod_version.c>
@@ -80,6 +94,14 @@ RewriteRule ^(.*)$ app.php [QSA,L]
 			Order Allow,Deny
 			Deny from All
 		</Files>
+		<Files "composer.json">
+			Order Allow,Deny
+			Deny from All
+		</Files>
+		<Files "composer.lock">
+			Order Allow,Deny
+			Deny from All
+		</Files>
 	</IfModule>
 	<IfModule mod_authz_core.c>
 		<Files "config.php">
@@ -88,5 +110,11 @@ RewriteRule ^(.*)$ app.php [QSA,L]
 		<Files "common.php">
 			Require all denied
 		</Files>
+		<Files "composer.json">
+			Require all denied
+		</Files>
+		<Files "composer.lock">
+			Require all denied
+		</Files>
 	</IfModule>
 </IfModule>
diff --git a/phpBB/docs/lighttpd.sample.conf b/phpBB/docs/lighttpd.sample.conf
@@ -32,6 +32,11 @@ $HTTP["host"] == "www.myforums.com" {
 		url.access-deny = ( "" )
 	}
 
+	# Deny access to composer files.
+	$HTTP["url"] =~ "^/composer\.(json|lock)$" {
+		url.access-deny = ( "" )
+	}
+
 	# Deny access to version control system directories.
 	$HTTP["url"] =~ "/\.svn|/\.git" {
 		url.access-deny = ( "" )
diff --git a/phpBB/docs/nginx.sample.conf b/phpBB/docs/nginx.sample.conf
@@ -55,7 +55,7 @@ server {
 		}
 
 		# Deny access to internal phpbb files.
-		location ~ /(config|common\.php|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor|vendor-ext) {
+		location ~ /(config|common\.php|composer\.(json|lock)|cache|files|images/avatars/upload|includes|(?<!ext/)phpbb(?!\w+)|store|vendor|vendor-ext) {
 			deny all;
 			# deny was ignored before 0.8.40 for connections over IPv6.
 			# Use internal directive to prohibit access on older versions.

Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ server {`
`55`	`55`	`}`
`56`	`56`
`57`	`57`	`# Deny access to internal phpbb files.`
`58`		`- location ~ /(config\|common\.php\|cache\|files\|images/avatars/upload\|includes\|(?<!ext/)phpbb(?!\w+)\|store\|vendor\|vendor-ext) {`
	`58`	`+ location ~ /(config\|common\.php\|composer\.(json\|lock)\|cache\|files\|images/avatars/upload\|includes\|(?<!ext/)phpbb(?!\w+)\|store\|vendor\|vendor-ext) {`
`59`	`59`	`deny all;`
`60`	`60`	`# deny was ignored before 0.8.40 for connections over IPv6.`
`61`	`61`	`# Use internal directive to prohibit access on older versions.`