From c3df9b6484eb2eca4d4074005cb2c81619857402 Mon Sep 17 00:00:00 2001 From: Matias Griese Date: Thu, 29 Oct 2020 11:03:28 +0200 Subject: [PATCH] Added `.htaccess` rule to block attempts to use Twig in the request URL --- .htaccess | 3 +++ CHANGELOG.md | 1 + webserver-configs/htaccess.txt | 3 +++ 3 files changed, 7 insertions(+) diff --git a/.htaccess b/.htaccess index ef79a4bc2..83063ae2e 100644 --- a/.htaccess +++ b/.htaccess @@ -27,6 +27,9 @@ RewriteEngine On # If you experience problems on your site block out the operations listed below # This attempts to block the most common type of exploit `attempts` to Grav # +# Block out any script trying to use twig tags in URL. +RewriteCond %{REQUEST_URI} ({{|}}|{%|%}) [OR] +RewriteCond %{QUERY_STRING} ({{|}}|{%25|%25}) [OR] # Block out any script trying to base64_encode data within the URL. RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] # Block out any script that includes a