From 3784ddd0733d8c71259dfa0966605b71b2772113 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@fedoraproject.org>
Date: May 10 2017 15:27:39 +0000
Subject: protect .phar from being executed from uploads directory


---

diff --git a/wordpress-httpd-conf b/wordpress-httpd-conf
index 68ca0a3..3692823 100644
--- a/wordpress-httpd-conf
+++ b/wordpress-httpd-conf
@@ -20,7 +20,7 @@ Alias /wordpress /usr/share/wordpress
 
 <Directory /usr/share/wordpress/wp-content/uploads>
   # Deny access to any php file in the uploads directory
-  <FilesMatch "\.(php)$">
+  <FilesMatch "\.(php|phar)$">
     Order Deny,Allow
     Deny from all
   </FilesMatch>
diff --git a/wordpress.spec b/wordpress.spec
index d6733de..c33c873 100644
--- a/wordpress.spec
+++ b/wordpress.spec
@@ -27,7 +27,7 @@ URL:        http://www.wordpress.org
 Name:       wordpress
 Version:    4.7.4
 Group:      Applications/Publishing
-Release:    1%{?dist}
+Release:    2%{?dist}
 License:    GPLv2
 
 Source0:    http://wordpress.org/%{name}-%{version}%{?prever:-%{prever}}.tar.gz
@@ -307,6 +307,9 @@ rm -rf ${RPM_BUILD_ROOT}
 
 
 %changelog
+* Tue Mar  7 2017 Remi Collet <remi@remirepo.net> - 4.7.4-2
+- protect .phar from being executed from uploads directory
+
 * Sat Apr 22 2017 Kevin Fenzi <kevin@scrye.com> - 4.7.4-1
 - Update to 4.7.4. Maintenance Release.