From 31bcd5d9bfe9208dc252e4dc644fa07af10e90da Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Tue, 19 Apr 2022 11:02:27 +0200
Subject: [PATCH] more access restrictions on files in extensions

---
 .htaccess | 10 ++++++++--
 CHANGELOG |  1 +
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/.htaccess b/.htaccess
index 577662f59..474adf2bf 100644
--- a/.htaccess
+++ b/.htaccess
@@ -25,10 +25,16 @@ RewriteRule "^views/.*/images.*$" "-" [L]
 RewriteRule "^out/images.*$" "-" [L]
 RewriteRule "^styles/.*$" "-" [L]
 
-# Accessing a file in an extension is always possible
+# Accessing a file in an extension is only possible in one
+# of the directories op, out. res
 # Added for old extensions which do not use routes
+RewriteRule ^ext/[^/]+/icon.(?:png|svg)$ - [L]
+RewriteCond %{REQUEST_URI} "ext/[^/]+/"
+RewriteRule !^ext/[^/]+/.*(?:op|out|res) - [F]
+RewriteCond %{REQUEST_URI} "ext/[^/]+/res/.*$" [NC]
+RewriteRule !^ext/[^/]+/res/.*\.(?:css|js|png|svg) - [F]
 RewriteCond %{REQUEST_FILENAME} -f
-RewriteRule "^ext/.*$" "-" [L]
+RewriteRule ^ext/.*$ - [L]
 
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
diff --git a/CHANGELOG b/CHANGELOG
index 7d9885475..cfd9136e4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -15,6 +15,7 @@
 - show expired documents in calendar
 - call new hook 'cleanUpDocument' after uploading or updating a document
 - pass 'add' or 'update' to hook 'addDocumentContentFile'
+- more access restrictions on files in extensions
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.24