From 2d291a73a65a6009ce99edf32569e484e6fc3a19 Mon Sep 17 00:00:00 2001
From: Fabian Schmengler <fs@integer-net.de>
Date: Fri, 11 Jan 2019 11:18:28 +0100
Subject: [PATCH] Deny access to XML and PHTML files in pub/errors

For apache via .htaccess and in nginx sample configuration
---
 nginx.conf.sample    | 7 ++++++-
 pub/errors/.htaccess | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/nginx.conf.sample b/nginx.conf.sample
index 90604808f6ec0..80cc88431eff8 100644
--- a/nginx.conf.sample
+++ b/nginx.conf.sample
@@ -159,6 +159,11 @@ location /media/downloadable/ {
 location /media/import/ {
     deny all;
 }
+location /errors/ {
+    location ~* \.xml$ {
+        deny all;
+    }
+}
 
 # PHP entry point for main application
 location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
@@ -198,6 +203,6 @@ gzip_types
 gzip_vary on;
 
 # Banned locations (only reached if the earlier PHP entry point regexes don't match)
-location ~* (\.php$|\.htaccess$|\.git) {
+location ~* (\.php$|\.phtml$|\.htaccess$|\.git) {
     deny all;
 }
diff --git a/pub/errors/.htaccess b/pub/errors/.htaccess
index 3692dd439e2ff..a7b9cbda05893 100644
--- a/pub/errors/.htaccess
+++ b/pub/errors/.htaccess
@@ -1,4 +1,7 @@
 Options None
+<FilesMatch "\.(xml|phtml)$">
+    Deny from all
+</FilesMatch>
 <IfModule mod_rewrite.c>
     RewriteEngine Off
 </IfModule>