Contrib.social

Protect contrib files

Open on Drupal.org β†’
Created on 26 January 2016, over 9 years ago
Updated 7 July 2025, 8 days ago

It would be good if Drupal were to respond to any HTTP request for a non-JavaScript, non-CSS, non-content file (e.g. composer.json, README.md, CHANGELOG.txt [wasn't able to test this one, as new modules apparently don't have a changelog, logically.]) in contrib modules with 403 Forbidden, whether or not the file exists, to reduce fingerprinting.

Details follow:

I am noticing in my D7 site many hits to /sites/all/modules/[module name]/CHANGELOG.txt

If the module is present, it could theoretically allow the unknown visitor to find out the point version. And it the module is not present, Drupal returns a 404, which lets the visitor distinguish between modules I have and modules I don't have.

(Backport note: It appears CHANGLOG.txt in contrib modules is already protected with a 403 response in D7, whether or not the particular module has a CHANGELOG.txt file, at least on our website. However, I'm not sure where that code exists, and I don't see it in our root .htaccess file, so I can't explain it for certain.)

A consistent 403 response, if feasible, would be best.

Drupal Security team has okayed my posting this in the general queue.

✨ Feature request
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component

base system

Created by

πŸ‡ΊπŸ‡ΈUnited States charles belov San Francisco, CA, US

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • stale-issue-cleanup

    To track issues in the developing policy for closing stale issues, [Policy, no patch] closing older issues

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 8 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Thank you for sharing your idea for improving Drupal.

    We are working to decide if this proposal meets the Criteria for evaluating proposed changes. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or there is no community support. Your thoughts on this will allow a decision to be made.

    Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024