PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 19:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

security: fix all HIGH priority items from TODO.SECURITY.md

Browse Source 
Items resolved:
- #3 (HIGH): Move file uploads outside webroot to STORAGE_ROOT (/var/www/posterg/storage).
  Uploads were previously stored in public/admin/actions/data/ which is web-accessible.
- #4 (HIGH): Align file paths and add media.php controller.
  DB paths are now storage-relative (theses/YEAR/ID/file, covers/file).
  New public/media.php serves files with path-traversal jail, MIME allow-list,
  and proper caching headers. memoire.php and search.php updated to use /media.php?path=.
  Also fixed: cover images were never recorded in thesis_files (broken INSERT).
- #5 (HIGH): RateLimit::getClientIdentifier() now uses REMOTE_ADDR only.
  HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP are attacker-controlled headers that
  allowed unlimited rate-limit bypass by rotating spoofed IPs.
- #6 (HIGH): Port public/admin/.htaccess security rules to nginx/posterg.conf.
  Apache .htaccess directives are silently ignored by nginx; none were active.
  CSP added to /admin/ location block, .log file denial added globally,
  autoindex off made explicit. Documented in nginx/HTACCESS_TO_NGINX.md.

Supporting changes:
- config/bootstrap.php: add STORAGE_ROOT constant
- nginx/SECURITY_HEADERS.md: updated to reflect admin CSP and pending public CSP
- docs/TODO.SECURITY.md: items #3-6 moved to resolved; priority order updated
This commit is contained in:
Théophile Gervreau-Mercier
2026-02-08 14:01:33 +01:00
parent f5d3281c43
commit a2b1ff5f41
10 changed files with 203 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
nginx/posterg.conf
View File

@@ -74,6 +74,13 @@ server {
# Rate limiting for admin
limit_req zone=admin burst=5 nodelay;
# Content-Security-Policy — ported from public/admin/.htaccess which nginx ignores (item #6).
# Tighter policy for admin: no external sources, no object embedding.
add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Disable directory listing (nginx default is off; explicit for defence-in-depth, item #6)
autoindex off;
# Allow access to public assets without authentication
location ~ ^/admin/(css|js|images)/ {
auth_basic off;
@@ -134,6 +141,14 @@ server {
try_files $uri $uri/ =404;
}
# Deny access to log files — public/admin/.htaccess had this rule but Apache
# .htaccess directives are silently ignored by nginx (item #6).
location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to .htaccess files (if Apache's document root concurs with nginx's)
location ~ /\.ht {
deny all;