From b74b684d4af6c4bbdfcafb2d99e737550962c9bc Mon Sep 17 00:00:00 2001
From: Ivan Kohler <ivan@freeside.biz>
Date: Fri, 23 Oct 2015 16:22:45 -0700
Subject: [PATCH] deny remote access to elements/*html, RT#23357

---
 htetc/freeside-base2.conf | 45 ++++++++++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/htetc/freeside-base2.conf b/htetc/freeside-base2.conf
index 49b4a243d..3eef50cad 100644
--- a/htetc/freeside-base2.conf
+++ b/htetc/freeside-base2.conf
@@ -15,27 +15,38 @@ PerlRequire "%%%MASON_HANDLER%%%"
 AddDefaultCharset UTF-8
 
 <Directory %%%FREESIDE_DOCUMENT_ROOT%%%>
-AuthName Freeside
-AuthType Basic
-AuthUserFile %%%FREESIDE_CONF%%%/htpasswd
-require valid-user
-<Files ~ "(\.cgi|\.html)$">
-SetHandler perl-script
-PerlHandler HTML::Mason
-</Files>
+
+    AuthName Freeside
+    AuthType Basic
+    AuthUserFile %%%FREESIDE_CONF%%%/htpasswd
+    require valid-user
+
+    <Files ~ "(\.cgi|\.html)$">
+        SetHandler perl-script
+        PerlHandler HTML::Mason
+    </Files>
+
 </Directory>
+
+<Directory %%%FREESIDE_DOCUMENT_ROOT%%%/elements/>
+    <Files ~ "(\.html)$">
+        Deny from all
+        SetHandler None
+    </Files>
+</Directory>
+
 <Directory %%%FREESIDE_DOCUMENT_ROOT%%%/rt/Helpers/>
-SetHandler perl-script
-PerlHandler HTML::Mason
+    SetHandler perl-script
+    PerlHandler HTML::Mason
 </Directory>
 
 <Directory %%%FREESIDE_DOCUMENT_ROOT%%%/loginout>
-AuthName Freeside
-AuthType Basic
-AuthUserFile %%%FREESIDE_CONF%%%/htpasswd.logout
-require valid-user
-<Files ~ "(\.cgi|\.html)$">
-SetHandler default-handler
-</Files>
+    AuthName Freeside
+    AuthType Basic
+    AuthUserFile %%%FREESIDE_CONF%%%/htpasswd.logout
+    require valid-user
+    <Files ~ "(\.cgi|\.html)$">
+        SetHandler default-handler
+    </Files>
 </Directory>
 
-- 
2.11.0