fixed #3260 (#3261)

zikula · Dec 4, 2016 · 80c0a8d · 80c0a8d
1 parent 51af9ba
commit 80c0a8d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/CHANGELOG-1.4.md b/CHANGELOG-1.4.md
@@ -33,6 +33,7 @@ CHANGELOG - ZIKULA 1.4.x
     - Refactored PhpParser usage in ZikulaPhpFileExtractor to namespaces (#3183).
     - Fixed possible jcss vulnerability in Windows environment (#3237).
     - Use namespaced include notation in themes (#3230, #3246).
+    - Block access to possibly malicious vendor demo file (#3260, #3261).
 
  - Features:
     - Lost password functionality has been simplified to work without an additional (confusing) confirmation step (#1781, #3178).

diff --git a/src/.htaccess b/src/.htaccess
@@ -14,6 +14,9 @@
     # Enable RewriteBase if Zikula is installed to a sub-directory
     # RewriteBase /your/path/to/Zikula
 
+    # Block access to possibly malicious vendor demo file
+    RewriteRule ^vendor/vakata/jstree/demo/filebrowser/(.*)$ - [F,L]
+
     # rewrite any unknown directories and files
 
     # Check if the requested path is an existing directory