From 64250f2a4ef73d8b2686d275dc39aee4d389b0e6 Mon Sep 17 00:00:00 2001
From: Jochen Wiedmann <jochen.wiedmann@gmail.com>
Date: Mon, 2 Feb 2015 16:37:38 +0000
Subject: Bug 1121477: Support for Apache HTTPD 2.4 r=dkl,a=glob

---
 .htaccess                      | 12 ++++-
 Bugzilla/Install/Filesystem.pm | 99 ++++++++++++++++++++++++++++++++++++++----
 2 files changed, 101 insertions(+), 10 deletions(-)

diff --git a/.htaccess b/.htaccess
index 7ef20d8b6..14325d152 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,6 +1,16 @@
 # Don't allow people to retrieve non-cgi executable files or our private data
 <FilesMatch (\.pm|\.pl|\.tmpl|localconfig.*)$>
-  deny from all
+  <IfModule mod_version.c>
+    <IfVersion <= 2.2>
+      Deny from all
+    </IfVersion>
+    <IfVersion > 2.2>
+      Require all denied
+    </IfVersion>
+  </IfModule>
+  <IfModule !mod_version.c>
+    Deny from all
+  </IfModule>
 </FilesMatch>
 
 Options -Indexes
diff --git a/Bugzilla/Install/Filesystem.pm b/Bugzilla/Install/Filesystem.pm
index 64b651c62..f28d6699b 100644
--- a/Bugzilla/Install/Filesystem.pm
+++ b/Bugzilla/Install/Filesystem.pm
@@ -47,7 +47,17 @@ our @EXPORT = qw(
 use constant HT_DEFAULT_DENY => <<EOT;
 # nothing in this directory is retrievable unless overridden by an .htaccess
 # in a subdirectory
-deny from all
+<IfModule mod_version.c>
+  <IfVersion <= 2.2>
+    Deny from all
+  </IfVersion>
+  <IfVersion > 2.2>
+    Require all denied
+  </IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+    Deny from all
+</IfModule>
 EOT
 
 ###############
@@ -340,11 +350,31 @@ EOT
         "$graphsdir/.htaccess" => { perms => WS_SERVE, contents => <<EOT
 # Allow access to .png and .gif files.
 <FilesMatch (\\.gif|\\.png)\$>
-  Allow from all
+  <IfModule mod_version.c>
+    <IfVersion <= 2.2>
+      Allow from all
+    </IfVersion>
+    <IfVersion > 2.2>
+      Require all granted
+    </IfVersion>
+  </IfModule>
+  <IfModule !mod_version.c>
+    Allow from all
+  </IfModule>
 </FilesMatch>
 
 # And no directory listings, either.
-Deny from all
+<IfModule mod_version.c>
+  <IfVersion <= 2.2>
+    Deny from all
+  </IfVersion>
+  <IfVersion > 2.2>
+    Require all denied
+  </IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+  Deny from all
+</IfModule>
 EOT
         },
 
@@ -353,28 +383,79 @@ EOT
 # generated .dot files. Uncomment this section and replace the IP address with
 # the IP address of your webdot server.
 #<FilesMatch \\.dot\$>
-#  Allow from 127.0.0.1/24
-#  Deny from all
+#  <IfModule mod_version.c>
+#    <IfVersion <= 2.2>
+#      Allow from 127.0.0.1/24
+#      Deny from all
+#    </IfVersion>
+#    <IfVersion > 2.2>
+#      Require ip 127.0.0.1/24
+#      Require all denied
+#  </IfModule>
+#  <IfModule !mod_version.c>
+#    Allow from 127.0.0.1/24
+#    Deny from all
+#  </IfModule>
 #</FilesMatch>
 
 # Allow access to .png files created by a local copy of 'dot'
 <FilesMatch \\.png\$>
-  Allow from all
+  <IfModule mod_version.c>
+    <IfVersion <= 2.2>
+      Allow from all
+    </IfVersion>
+    <IfVersion > 2.2>
+      Require all granted
+    </IfVersion>
+  </IfModule>
+  <IfModule !mod_version.c>
+     Allow from all
+  </IfModule>
 </FilesMatch>
 
 # And no directory listings, either.
-Deny from all
+<IfModule mod_version.c>
+  <IfVersion <= 2.2>
+    Deny from all
+  </IfVersion>
+  <IfVersion > 2.2>
+    Require all denied
+  </IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+  Deny from all
+</IfModule>
 EOT
         },
 
         "$assetsdir/.htaccess" => { perms => WS_SERVE, contents => <<EOT
 # Allow access to .css files
 <FilesMatch \\.(css|js)\$>
-  Allow from all
+  <IfModule mod_version.c>
+    <IfVersion <= 2.2>
+      Allow from all
+    </IfVersion>
+    <IfVersion > 2.2>
+      Require all granted
+    </IfVersion>
+  </IfModule>
+  <IfModule !mod_version.c>
+     Allow from all
+  </IfModule>
 </FilesMatch>
 
 # And no directory listings, either.
-Deny from all
+<IfModule mod_version.c>
+  <IfVersion <= 2.2>
+    Deny from all
+  </IfVersion>
+  <IfVersion > 2.2>
+    Require all denied
+  </IfVersion>
+</IfModule>
+<IfModule !mod_version.c>
+  Deny from all
+</IfModule>
 EOT
         },
 
-- 
cgit v1.2.3-24-g4f1b