sitecore - allow access to sitemap.xml while disallowing other xml files

Question

In our sitecore 6.6.0 (rev. 130404) project we have a sitemap.xml file in the root folder. However that file cannot be accessed from the browser because of a configuration in web.config.

<add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode"/>

This configuration was added as instructed in the sitecore security hardening guide.

If we remove this configuration, a user is able to access any .xml file inside the sitecore folder. How can we only allow access to sitemap.xml while disallowing access to other xml files in the website?

(We are running on IIS7 Integrated Mode)

Answer 1

Leave the global deny of .xml as is and add another rule to the <handlers> section with the following rule:

<add path="sitemap.xml" verb="GET" type="System.Web.StaticFileHandler" name="xml allow" />
<add path="*.xml" verb="*" type="System.Web.HttpForbiddenHandler" name="xml (integrated)" preCondition="integratedMode" />

This will only allow the sitemap.xml and all other .xml files will be denied.

Removing the global deny on the .xml file is not recommended because it will remove the protection of the license.xml file, for example.

Answer 2

Also, if you are setting up more than one exception, remember to change the "name" attribute - those have to be unique:

...name="xml allow" />