cleanup httpd configuration

3 files changed, 126 insertions, 32 deletions

diff --git a/phpMyAdmin.htaccess b/phpMyAdmin.htaccess
index 4ac6cb4..5854f10 100644
--- a/phpMyAdmin.htaccess
+++ b/phpMyAdmin.htaccess
@@ -11,52 +11,30 @@ Alias /phpmyadmin /usr/share/phpMyAdmin
 <Directory /usr/share/phpMyAdmin/>
    AddDefaultCharset UTF-8
 
-   <IfModule mod_authz_core.c>
-     # Apache 2.4
-     Require local
-   </IfModule>
-   <IfModule !mod_authz_core.c>
-     # Apache 2.2
-     Order Deny,Allow
-     Deny from All
-     Allow from 127.0.0.1
-     Allow from ::1
-   </IfModule>
+   Require local
 </Directory>
 
 <Directory /usr/share/phpMyAdmin/setup/>
-   <IfModule mod_authz_core.c>
-     # Apache 2.4
-     Require local
-   </IfModule>
-   <IfModule !mod_authz_core.c>
-     # Apache 2.2
-     Order Deny,Allow
-     Deny from All
-     Allow from 127.0.0.1
-     Allow from ::1
-   </IfModule>
+   Require local
 </Directory>
 
 # These directories do not require access over HTTP - taken from the original
 # phpMyAdmin upstream tarball
 #
 <Directory /usr/share/phpMyAdmin/libraries/>
-    Order Deny,Allow
-    Deny from All
-    Allow from None
+    Require all denied
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/templates/>
+    Require all denied
 </Directory>
 
 <Directory /usr/share/phpMyAdmin/setup/lib/>
-    Order Deny,Allow
-    Deny from All
-    Allow from None
+    Require all denied
 </Directory>
 
 <Directory /usr/share/phpMyAdmin/setup/frames/>
-    Order Deny,Allow
-    Deny from All
-    Allow from None
+    Require all denied
 </Directory>
 
 # This configuration prevents mod_security at phpMyAdmin directories from
diff --git a/phpMyAdmin.htaccess22 b/phpMyAdmin.htaccess22
new file mode 100644
index 0000000..64d7e9a
--- /dev/null
+++ b/phpMyAdmin.htaccess22
@@ -0,0 +1,103 @@
+# phpMyAdmin - Web based MySQL browser written in php
+# 
+# Allows only localhost by default
+#
+# But allowing phpMyAdmin to anyone other than localhost should be considered
+# dangerous unless properly secured by SSL
+
+Alias /phpMyAdmin /usr/share/phpMyAdmin
+Alias /phpmyadmin /usr/share/phpMyAdmin
+
+<Directory /usr/share/phpMyAdmin/>
+   AddDefaultCharset UTF-8
+
+   <IfModule mod_authz_core.c>
+     # Apache 2.4
+     Require local
+   </IfModule>
+   <IfModule !mod_authz_core.c>
+     # Apache 2.2
+     Order Deny,Allow
+     Deny from All
+     Allow from 127.0.0.1
+     Allow from ::1
+   </IfModule>
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/>
+   <IfModule mod_authz_core.c>
+     # Apache 2.4
+     Require local
+   </IfModule>
+   <IfModule !mod_authz_core.c>
+     # Apache 2.2
+     Order Deny,Allow
+     Deny from All
+     Allow from 127.0.0.1
+     Allow from ::1
+   </IfModule>
+</Directory>
+
+# These directories do not require access over HTTP - taken from the original
+# phpMyAdmin upstream tarball
+#
+<Directory /usr/share/phpMyAdmin/libraries/>
+    <IfModule mod_authz_core.c>
+      # Apache 2.4
+      Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      # Apache 2.2
+      Order Deny,Allow
+      Deny from All
+      Allow from None
+    </IfModule>
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/templates/>
+    <IfModule mod_authz_core.c>
+      # Apache 2.4
+      Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      # Apache 2.2
+      Order Deny,Allow
+      Deny from All
+      Allow from None
+    </IfModule>
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/lib/>
+    <IfModule mod_authz_core.c>
+      # Apache 2.4
+      Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      # Apache 2.2
+      Order Deny,Allow
+      Deny from All
+      Allow from None
+    </IfModule>
+</Directory>
+
+<Directory /usr/share/phpMyAdmin/setup/frames/>
+    <IfModule mod_authz_core.c>
+      # Apache 2.4
+      Require all denied
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+      # Apache 2.2
+      Order Deny,Allow
+      Deny from All
+      Allow from None
+    </IfModule>
+</Directory>
+
+# This configuration prevents mod_security at phpMyAdmin directories from
+# filtering SQL etc.  This may break your mod_security implementation.
+#
+#<IfModule mod_security.c>
+#    <Directory /usr/share/phpMyAdmin/>
+#        SecRuleInheritance Off
+#    </Directory>
+#</IfModule>
diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec
index 3b1c9d0..62df4c2 100644
--- a/phpMyAdmin.spec
+++ b/phpMyAdmin.spec
@@ -1,4 +1,5 @@
 # remirepo spec file for phpMyAdmin
+# remirepo:3
 #
 # Copyright (c) 2008-2020 Remi Collet
 #
@@ -27,7 +28,7 @@
 
 Name: phpMyAdmin
 Version: %{upstream_version}%{?upstream_prever:~%{upstream_prever}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 Summary: A web interface for MySQL and MariaDB
 
 # MIT (js/jquery/, js/jqplot, js/codemirror/, js/tracekit/)
@@ -40,6 +41,8 @@ Source1: https://files.phpmyadmin.net/%{name}/%{upstream_version}%{?upstream_pre
 Source2: phpMyAdmin.htaccess
 Source3: phpMyAdmin.nginx
 Source4: https://files.phpmyadmin.net/phpmyadmin.keyring
+# remirepo:1
+Source10: phpMyAdmin.htaccess22
 
 # Redirect to system certificates
 Patch0:  phpMyAdmin-certs.patch
@@ -261,7 +264,14 @@ mkdir -p %{buildroot}/%{_datadir}/%{name}
 cp -ad ./* %{buildroot}/%{_datadir}/%{name}
 install -Dpm 0640 CONFIG %{buildroot}/%{_sysconfdir}/%{name}/config.inc.php
 # Apache
+# remirepo:4
+%if 0%{?rhel} == 6
+# old config file with Apache 2.2/2.4 compatibility
+install -Dpm 0644 %{SOURCE10} %{buildroot}/%{_sysconfdir}/httpd/conf.d/phpMyAdmin.conf
+%else
 install -Dpm 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/conf.d/phpMyAdmin.conf
+# remirepo:1
+%endif
 # Nginx
 %if %{with_nginx}
 install -Dpm 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/nginx/default.d/phpMyAdmin.conf
@@ -330,6 +340,9 @@ sed -e "/'blowfish_secret'/s/MUSTBECHANGEDONINSTALL/$SECRET/" \
 
 
 %changelog
+* Tue Mar 24 2020 Remi Collet <remi@remirepo.net> 5.0.2-2
+- cleanup httpd configuration
+
 * Sat Mar 21 2020 Remi Collet <remi@remirepo.net> 5.0.2-1
 - update to 5.0.2 (2020-03-21, security release)
 - use phpmyadmin/twig-i18n-extension instead of twig/extensions