ENGCOM-4562: Secure errors directory #20212

Author: sivaschenko

nginx.conf.sample

@@ -159,6 +159,11 @@ location /media/downloadable/ {
 location /media/import/ {
     deny all;
 }
+location /errors/ {
+    location ~* \.xml$ {
+        deny all;
+    }
+}
 
 # PHP entry point for main application
 location ~ ^/(index|get|static|errors/report|errors/404|errors/503|health_check)\.php$ {
@@ -198,6 +203,6 @@ gzip_types
 gzip_vary on;
 
 # Banned locations (only reached if the earlier PHP entry point regexes don't match)
-location ~* (\.php$|\.htaccess$|\.git) {
+location ~* (\.php$|\.phtml$|\.htaccess$|\.git) {
     deny all;
 }

pub/errors/.htaccess

@@ -1,4 +1,7 @@
 Options None
+<FilesMatch "\.(xml|phtml)$">
+    Deny from all
+</FilesMatch>
 <IfModule mod_rewrite.c>
     RewriteEngine Off
 </IfModule>