/** * Generate IIS web.config files to restrict access * * Note: for IIS 7 and above */ public static function createWebConfigFiles() { if (!SettingsServer::isIIS()) { return; } @file_put_contents(PIWIK_INCLUDE_PATH . '/web.config', '<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <hiddenSegments> <add segment="config" /> <add segment="core" /> <add segment="lang" /> <add segment="tmp" /> </hiddenSegments> <fileExtensions> <add fileExtension=".tpl" allowed="false" /> <add fileExtension=".twig" allowed="false" /> <add fileExtension=".php4" allowed="false" /> <add fileExtension=".php5" allowed="false" /> <add fileExtension=".inc" allowed="false" /> <add fileExtension=".in" allowed="false" /> <add fileExtension=".csv" allowed="false" /> <add fileExtension=".pdf" allowed="false" /> <add fileExtension=".log" allowed="false" /> </fileExtensions> </requestFiltering> </security> <directoryBrowse enabled="false" /> <defaultDocument> <files> <remove value="index.php" /> <add value="index.php" /> </files> </defaultDocument> <staticContent> <remove fileExtension=".svg" /> <mimeMap fileExtension=".svg" mimeType="image/svg+xml" /> </staticContent> </system.webServer> </configuration>'); // deny direct access to .php files $directoriesToProtect = array('/libs', '/vendor', '/plugins'); foreach ($directoriesToProtect as $directoryToProtect) { @file_put_contents(PIWIK_INCLUDE_PATH . $directoryToProtect . '/web.config', '<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <requestFiltering> <denyUrlSequences> <add sequence=".php" /> </denyUrlSequences> </requestFiltering> </security> </system.webServer> </configuration>'); } }
protected static function initServerFilesForSecurity() { if (SettingsServer::isIIS()) { ServerFilesGenerator::createWebConfigFiles(); } else { ServerFilesGenerator::createHtAccessFiles(); } ServerFilesGenerator::createWebRootFiles(); }