fix: avoid config backup downloads

Author: thorsten

.docker/nginx/default.conf

@@ -43,6 +43,12 @@ server {
         add_header Cache-Control "public, max-age=31536000, immutable";
     }
 
+    # Block zip files in content directory
+    location ~ ^/content/.*\.zip$ {
+        deny all;
+        return 403;
+    }
+
     # Rewrite logging, should be turned off on production
     rewrite_log on;
 
@@ -218,6 +224,12 @@ server {
         add_header Cache-Control "public, max-age=31536000, immutable";
     }
 
+    # Block zip files in content directory
+    location ~ ^/content/.*\.zip$ {
+        deny all;
+        return 403;
+    }
+
     # Rewrite logging, should be turned off on production
     rewrite_log on;
 

nginx.conf

@@ -65,6 +65,12 @@ server {
         add_header Cache-Control "public, max-age=31536000, immutable";
     }
 
+    # Block zip files in content directory
+    location ~ ^/content/.*\.zip$ {
+        deny all;
+        return 403;
+    }
+
     # Rewrite logging, should be turned off on production
     rewrite_log on;
 

phpmyfaq/.htaccess

@@ -98,6 +98,8 @@ Header set Access-Control-Allow-Headers "Content-Type, Authorization"
     </IfModule>
     # the path to your phpMyFAQ installation
     RewriteBase /
+    # Block zip files in content directory
+    RewriteRule ^content/.*\.zip$ - [F,L]
     # Exclude assets from being handled by Symfony Router
     RewriteRule ^(admin/assets)($|/) - [L]
     # Error pages

phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php

@@ -33,6 +33,8 @@ final class SetupController extends AbstractController
 {
     public function check(Request $request): JsonResponse
     {
+        $this->userIsAuthenticated();
+
         if (trim($request->getContent()) === '') {
             return $this->json(['message' => 'No version given.'], Response::HTTP_BAD_REQUEST);
         }
@@ -68,6 +70,8 @@ public function check(Request $request): JsonResponse
 
     public function backup(Request $request): JsonResponse
     {
+        $this->userIsAuthenticated();
+
         if (trim($request->getContent()) === '') {
             return $this->json(['message' => 'No version given.'], Response::HTTP_BAD_REQUEST);
         }
@@ -93,6 +97,8 @@ public function backup(Request $request): JsonResponse
 
     public function updateDatabase(Request $request): JsonResponse
     {
+        $this->userIsAuthenticated();
+
         if (trim($request->getContent()) === '') {
             return $this->json(['message' => 'No version given.'], Response::HTTP_BAD_REQUEST);
         }