From 012555c1cef35601b543cde67bff8726de97eb39 Mon Sep 17 00:00:00 2001
From: Thomas Bruederli <thomas@roundcube.net>
Date: Thu, 07 May 2015 05:00:35 -0400
Subject: [PATCH] Add .htaccess files to deny access to config, temp, logs + describe how to protect access to these directories in the INSTALL instructions (#1490378)

---
 INSTALL |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/INSTALL b/INSTALL
index 67c0c05..0087a41 100644
--- a/INSTALL
+++ b/INSTALL
@@ -153,6 +153,23 @@
 	php_value       upload_max_filesize     2M
 
 
+SECURE YOUR INSTALLATION
+========================
+
+Access through the webserver to the following directories should be denied:
+
+  /config
+  /temp
+  /logs
+
+Roundcube uses .htaccess files to protect these directories, so be sure to
+allow override of the Limit directives to get them taken into account. The
+package also ships a .htaccess file in the root directory which defines some
+rewrite rules. In order to properly secure your installation, please enable
+mod_rewrite for Apache webserver and double check access to the above listed
+directories and their contents is denied.
+
+
 UPGRADING
 =========
 

--
Gitblit v1.9.1