Security: add rules to .htaccess to prevent direct PHP execution from the corresponding directories and updates security.html with a missing change in the previous commit. Using security.html is still the recommended way to go for security, but in the absence of that, we want to make sure Chamilo is always more secure.

Author: ywarnier

.htaccess

@@ -8,6 +8,12 @@
 
 RewriteEngine on
 
+# Prevent execution of PHP from directories used for different types of uploads
+RedirectMatch 403 ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/main/default_course_document/images/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/main/lang/.*\.(php|php4|php5)$
+RedirectMatch 403 ^/web/css/.*\.(php|php4|php5)$
+
 # http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
 RewriteCond %{QUERY_STRING} ^id=(.*)$
 RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]

documentation/security.html

@@ -141,13 +141,13 @@ <h2><a name="5.Files-permissions"></a>5. Restricting files permissions</h2>
   location ~ ^/app/(cache|courses|home|logs|upload)/.*\.(php|php4|php5)$ {
     deny all;
   }
-  location ~ ^/main/default_course_document/images/.*\.php$ {
+  location ~ ^/main/default_course_document/images/.*\.(php|php4|php5)$ {
     deny all;
   }
-  location ~ ^/main/lang/.*\.php$ {
+  location ~ ^/main/lang/.*\.(php|php4|php5)$ {
     deny all;
   }
-  location ~ ^/web/css/.*\.php$ {
+  location ~ ^/web/css/.*\.(php|php4|php5)$ {
     deny all;
   }
         </pre>