Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

sitecore - allow access to sitemap.xml while disallowing other xml files

In our sitecore 6.6.0 (rev. 130404) project we have a sitemap.xml file in the root folder. However that file cannot be accessed from the browser because of a configuration in web.config.

<add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>

This configuration was added as instructed in the sitecore security hardening guide.

If we remove this configuration, a user is able to access any .xml file inside the sitecore folder. How can we only allow access to sitemap.xml while disallowing access to other xml files in the website?

(We are running on IIS7 Integrated Mode)

like image 787
ravinsp Avatar asked Dec 08 '22 13:12

ravinsp


2 Answers

Leave the global deny of .xml as is and add another rule to the <handlers> section with the following rule:

<add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />
<add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode" />

This will only allow the sitemap.xml and all other .xml files will be denied.

Removing the global deny on the .xml file is not recommended because it will remove the protection of the license.xml file, for example.

like image 58
Martijn van der Put Avatar answered Jan 26 '23 00:01

Martijn van der Put


Also, if you are setting up more than one exception, remember to change the "name" attribute - those have to be unique:

...name="xml allow" />

like image 31
Sasha Avatar answered Jan 26 '23 00:01

Sasha