app/src/main/webapp/roller-ui/authoring/editors/xinha-1.5.1/unsupported_plugins/.htaccess - roller - Git at Google

 <IfModule mod_setenvif.c>

   ErrorDocument 403 "This request has been denied because the plugin is potentially vulnerable and your IP is not approved. Developers can add approved IP addresses to the [...]/xinha/unsupported_plugins/.htaccess file"

   # Some unsupported plugins are potentially more dangerous to have
   #  open-to-the-world than others due to the potential for unknown or
   #  crept-in-through-php-updates type vulnerabilities
   #
   # As a result those plugins (see further below) are limited to approved
   #  ip addresses only, which you can set below.

   # Localhost only by default, I figure if you are running locally there
   # isn't much more bad can happen than already is.
   ########################################################################
   SetEnvIf Remote_Addr 127\.0\.0\.1 approved_ip

   # The following ranges are the Private IPv4 Space
   # If you are allowing only your local network to access this, just
   # uncomment the appropriate one(s)
   ########################################################################
   # SetEnvIf Remote_Addr 192\.168\.[0-9]+\.[0-9]+    approved_ip
   # SetEnvIf Remote_Addr 10\.[0-9]+\.[0-9]+\.[0-9]+  approved_ip
   # SetEnvIf Remote_Addr 172\.1[6-9]\.[0-9]+\.[0-9]+ approved_ip
   # SetEnvIf Remote_Addr 172\.2[0-9]\.[0-9]+\.[0-9]+ approved_ip
   # SetEnvIf Remote_Addr 172\.3[0-1]\.[0-9]+\.[0-9]+ approved_ip
   ########################################################################

   # Add additional SetEnvIf to approve further IP addresses, note that
   #  the IP address is a regular express, be sure to escape the dots.
   ########################################################################
   # SetEnvIf Remote_Addr 111\.111\.111\.111         approved_ip
   # SetEnvIf Remote_Addr 123\.123\.123\.123         approved_ip
   #########################################################################

   # Plugin List
   #########################################################################
   # We mark the safe plugins, anything not marked (commented out) is
   #  regarded to be a potential threat.

   #SetEnvIf Request_URI "/BackgroundImage/" not_a_security_threat
   #SetEnvIf Request_URI "/DoubleClick/" not_a_security_threat
   #SetEnvIf Request_URI "/Filter/" not_a_security_threat
   #SetEnvIf Request_URI "/InsertMarquee/" not_a_security_threat
   #SetEnvIf Request_URI "/NoteServer/" not_a_security_threat
   #SetEnvIf Request_URI "/Template/" not_a_security_threat

   SetEnvIf Request_URI "/ExtendedFileManager/"  security_threat
   SetEnvIf Request_URI "/HtmlTidy/"             security_threat
   SetEnvIf Request_URI "/ImageManager/"         security_threat
   SetEnvIf Request_URI "/InsertPicture/"        security_threat
   SetEnvIf Request_URI "/SpellChecker/"         security_threat

   SetEnvIf Request_URI "/PersistentStorage/"    security_threat
     SetEnvIf Request_URI "/PSFixed/"            security_threat
     SetEnvIf Request_URI "/PSLocal/"            security_threat
     SetEnvIf Request_URI "/PSServer/"           security_threat

   # And this is where we deny things, hopefully this concoction of rules
   #  works in most typical Apache situations.

   # Apache < 2.3
   <IfModule !mod_authz_core.c>
       # Deny,Allow means
       #  if both match then allow,
       #  else if neither match then allow,
       #  else if deny matches then deny,
       #  else if allow matches then allow
       Order Deny,Allow
       Deny from env=security_threat
       Allow from env=approved_ip
   </IfModule>

   # Apache >= 2.3
   <IfModule mod_authz_core.c>

     # Which has the compatibility module, we will have to use
     #  this also to make sure that is denied in case the
     #  vhose includes old rules too which would override
     #  the new Require directives
     <IfModule mod_access_compat.c>
       Order Deny,Allow
       Deny from env=security_threat
       Allow from env=approved_ip
     </IfModule>

     # Finally Apache >= 2.3 properly (why did they make this so confusing)
     <RequireAny>
       # Deny everybody by default
       Require all denied

       # Except if it's not a security threat
       <RequireAll>
         Require all granted
         Require not env security_threat
       </RequireAll>

       # Except if it's an approved IP
       <RequireAll>
         Require all granted
         Require env approved_ip
       </RequireAll>
     </RequireAny>
   </IfModule>

 </IfModule>
	<IfModule mod_setenvif.c>

	ErrorDocument 403 "This request has been denied because the plugin is potentially vulnerable and your IP is not approved. Developers can add approved IP addresses to the [...]/xinha/unsupported_plugins/.htaccess file"

	# Some unsupported plugins are potentially more dangerous to have
	# open-to-the-world than others due to the potential for unknown or
	# crept-in-through-php-updates type vulnerabilities
	#
	# As a result those plugins (see further below) are limited to approved
	# ip addresses only, which you can set below.

	# Localhost only by default, I figure if you are running locally there
	# isn't much more bad can happen than already is.
	########################################################################
	SetEnvIf Remote_Addr 127\.0\.0\.1 approved_ip

	# The following ranges are the Private IPv4 Space
	# If you are allowing only your local network to access this, just
	# uncomment the appropriate one(s)
	########################################################################
	# SetEnvIf Remote_Addr 192\.168\.[0-9]+\.[0-9]+ approved_ip
	# SetEnvIf Remote_Addr 10\.[0-9]+\.[0-9]+\.[0-9]+ approved_ip
	# SetEnvIf Remote_Addr 172\.1[6-9]\.[0-9]+\.[0-9]+ approved_ip
	# SetEnvIf Remote_Addr 172\.2[0-9]\.[0-9]+\.[0-9]+ approved_ip
	# SetEnvIf Remote_Addr 172\.3[0-1]\.[0-9]+\.[0-9]+ approved_ip
	########################################################################

	# Add additional SetEnvIf to approve further IP addresses, note that
	# the IP address is a regular express, be sure to escape the dots.
	########################################################################
	# SetEnvIf Remote_Addr 111\.111\.111\.111 approved_ip
	# SetEnvIf Remote_Addr 123\.123\.123\.123 approved_ip
	#########################################################################

	# Plugin List
	#########################################################################
	# We mark the safe plugins, anything not marked (commented out) is
	# regarded to be a potential threat.

	#SetEnvIf Request_URI "/BackgroundImage/" not_a_security_threat
	#SetEnvIf Request_URI "/DoubleClick/" not_a_security_threat
	#SetEnvIf Request_URI "/Filter/" not_a_security_threat
	#SetEnvIf Request_URI "/InsertMarquee/" not_a_security_threat
	#SetEnvIf Request_URI "/NoteServer/" not_a_security_threat
	#SetEnvIf Request_URI "/Template/" not_a_security_threat

	SetEnvIf Request_URI "/ExtendedFileManager/" security_threat
	SetEnvIf Request_URI "/HtmlTidy/" security_threat
	SetEnvIf Request_URI "/ImageManager/" security_threat
	SetEnvIf Request_URI "/InsertPicture/" security_threat
	SetEnvIf Request_URI "/SpellChecker/" security_threat

	SetEnvIf Request_URI "/PersistentStorage/" security_threat
	SetEnvIf Request_URI "/PSFixed/" security_threat
	SetEnvIf Request_URI "/PSLocal/" security_threat
	SetEnvIf Request_URI "/PSServer/" security_threat

	# And this is where we deny things, hopefully this concoction of rules
	# works in most typical Apache situations.

	# Apache < 2.3
	<IfModule !mod_authz_core.c>
	# Deny,Allow means
	# if both match then allow,
	# else if neither match then allow,
	# else if deny matches then deny,
	# else if allow matches then allow
	Order Deny,Allow
	Deny from env=security_threat
	Allow from env=approved_ip
	</IfModule>

	# Apache >= 2.3
	<IfModule mod_authz_core.c>

	# Which has the compatibility module, we will have to use
	# this also to make sure that is denied in case the
	# vhose includes old rules too which would override
	# the new Require directives
	<IfModule mod_access_compat.c>
	Order Deny,Allow
	Deny from env=security_threat
	Allow from env=approved_ip
	</IfModule>

	# Finally Apache >= 2.3 properly (why did they make this so confusing)
	<RequireAny>
	# Deny everybody by default
	Require all denied

	# Except if it's not a security threat
	<RequireAll>
	Require all granted
	Require not env security_threat
	</RequireAll>

	# Except if it's an approved IP
	<RequireAll>
	Require all granted
	Require env approved_ip
	</RequireAll>
	</RequireAny>
	</IfModule>

	</IfModule>