more access restrictions on files in extensions

.htaccess

@@ -25,10 +25,16 @@ RewriteRule "^views/.*/images.*$" "-" [L]
 RewriteRule "^out/images.*$" "-" [L]
 RewriteRule "^styles/.*$" "-" [L]
 
-# Accessing a file in an extension is always possible
+# Accessing a file in an extension is only possible in one
+# of the directories op, out. res
 # Added for old extensions which do not use routes
+RewriteRule ^ext/[^/]+/icon.(?:png|svg)$ - [L]
+RewriteCond %{REQUEST_URI} "ext/[^/]+/"
+RewriteRule !^ext/[^/]+/.*(?:op|out|res) - [F]
+RewriteCond %{REQUEST_URI} "ext/[^/]+/res/.*$" [NC]
+RewriteRule !^ext/[^/]+/res/.*\.(?:css|js|png|svg) - [F]
 RewriteCond %{REQUEST_FILENAME} -f
-RewriteRule "^ext/.*$" "-" [L]
+RewriteRule ^ext/.*$ - [L]
 
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d

CHANGELOG

@@ -15,6 +15,7 @@
 - show expired documents in calendar
 - call new hook 'cleanUpDocument' after uploading or updating a document
 - pass 'add' or 'update' to hook 'addDocumentContentFile'
+- more access restrictions on files in extensions
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.24