Contrib.social

hook_requirements() for un-protected configuration directories

Open on Drupal.org →
Created on 11 February 2013, over 12 years ago
Updated 11 May 2025, 1 day ago

I've seen D8 places it's configuration files under drupal8\sites\default\files\config_*\active. This is an insecure location if .htaccess is not available or broken. All the config files may contains very critical information to hack a site and prying eyes will be happy to see this details e.g. file system paths, site e-mail address, chmod settings and other settings. Maybe the encryption keys are also saved there, but I have not found them yet.

We have never made to to care about security here in past as this was all hidden in variables table, but once this stuff goes into the file system prying eyes are able to see this if something goes minimal wrong.

This folder need to be moved outside of the folders that are public e.g. private folder

📌 Task
Status

Postponed: needs info

Version

11.0 🔥

Component

configuration system

Created by

mbkaba22

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

  • stale-issue-cleanup

    To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 1 day ago
    🇺🇸United States smustgrave

    Thank you for creating this issue to improve Drupal.

    We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

    Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

  • Comment about 18 hours ago
    🇫🇷France fgm Paris, France

    Things changed since the last discussions on this: at the time, many projects were still having drupal at the project root, but with the usual scaffolds, Drupal is most often under (root)/web these days, so there is no longer really a good reason not to create the config outside, e.g. in (root)/config. The same actually applies to the private file system, logs, and temporary directories, I think : we could easily have more security by default by setting these instead of just documenting to users how to create them.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024