Disallow access to (core) development files using .htaccess

Created on 26 September 2018, about 6 years ago
Updated 30 April 2024, 8 months ago

Hello,

This issue is a follow-up of a security issue.

It is possible to have indices about Drupal core version by accessing some development files embedded in core.

The majority of those files is catched by the .htaccess file but there are four that are not.

- core/yarn.lock
- core/package.json
- core/phpcs.xml.dist
- core/phpunit.xml.dist

You can see this vulnerability by:
1. Installing Drupal
2. As an anonymous user with any permission go to one of this URL.
- http://example.com/core/yarn.lock
- http://example.com/core/package.json
- http://example.com/core/phpcs.xml.dist
- http://example.com/core/phpunit.xml.dist
3. See the content of the file instead of getting a 403 page from the server.

Here is a patch that fixes the issue.

This issue has been detected during a security audit for a customer project.

πŸ“Œ Task
Status

Needs work

Version

11.0 πŸ”₯

Component
BaseΒ  β†’

Last updated about 2 hours ago

Created by

πŸ‡«πŸ‡·France Grimreaper France πŸ‡«πŸ‡·

Live updates comments and jobs are added and updated live.
  • Needs change record

    A change record needs to be drafted before an issue is committed. Note: Change records used to be called change notifications.

  • Needs release note

    The major change should have a special release note written to summarize the importance of the change. See Write a release note for an issue.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Comparing #36 and #35 seems we lost some test coverage for

    + // Ensure package.json and yarn.lock cannot be accessed.
    + $file_paths["$path/package.json"] = 403;
    + $file_paths["$path/yarn.lock"] = 403;
    +

    Is there a new way for testing that in D10 and that's why it was removed?

  • Status changed to Needs review almost 2 years ago
  • πŸ‡―πŸ‡΅Japan eleonel Itoshima πŸ‡―πŸ‡΅
  • Status changed to RTBC almost 2 years ago
  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Cool in that case think what we have here is fine.

  • Status changed to Needs work almost 2 years ago
  • πŸ‡ͺπŸ‡ΈSpain tunic Madrid

    Thanks to all the people working in this.

    I wanted to use this fix but the patch can't be use directly in composer. For example, if you add the patch from #36 to the patches section in composer.json composer is not able to patch drupal core because it can't find the files to patch. I think this is because the drupal/core project has a special treatment in composer.json (paths and so).

    To make it work with a project using composer you have to modify the patch. I'm adding here the patch I'musing as text (based on #36), so it is not tested by the test run avoiding introducing noise to the issue. This is to help any other people that wants this functionality in their project.

    Let me be clear about this: the following patch is for people that want to integrate this fix in a Drupal project manged by composer, this patch is not intended to be committed.

    diff --git a/assets/scaffold/files/htaccess b/assets/scaffold/files/htaccess
    index 116acf42fb..a46e1a871d 100644
    --- a/assets/scaffold/files/htaccess
    +++ b/assets/scaffold/files/htaccess
    @@ -3,7 +3,7 @@
     #
    
     # Protect files and directories from prying eyes.
    -<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
    +<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|phpcs\.xml\.dist|phpunit\.xml\.dist)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
       <IfModule mod_authz_core.c>
         Require all denied
       </IfModule>
    diff --git a/assets/scaffold/files/web.config b/assets/scaffold/files/web.config
    index b769e45e36..113ffc0201 100644
    --- a/assets/scaffold/files/web.config
    +++ b/assets/scaffold/files/web.config
    @@ -22,7 +22,7 @@
         <rewrite>
           <rules>
             <rule name="Protect files and directories from prying eyes" stopProcessing="true">
    -          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
    +          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn\.lock|package\.json|phpcs\.xml\.dist|phpunit\.xml\.dist)$" />
               <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
             </rule>
    
    diff --git a/modules/system/tests/fixtures/HtaccessTest/phpcs.xml.dist b/modules/system/tests/fixtures/HtaccessTest/phpcs.xml.dist
    new file mode 100644
    index 0000000000..e69de29bb2
    diff --git a/modules/system/tests/fixtures/HtaccessTest/phpunit.xml.dist b/modules/system/tests/fixtures/HtaccessTest/phpunit.xml.dist
    new file mode 100644
    index 0000000000..e69de29bb2
    diff --git a/modules/system/tests/src/Functional/System/HtaccessTest.php b/modules/system/tests/src/Functional/System/HtaccessTest.php
    index 09046c446f..711ef5d042 100644
    --- a/modules/system/tests/src/Functional/System/HtaccessTest.php
    +++ b/modules/system/tests/src/Functional/System/HtaccessTest.php
    @@ -87,6 +87,10 @@ protected function getProtectedFiles() {
           $file_paths["$path/access_test.$file_ext"] = 200;
         }
    
    +    // Ensure development files cannot be accessed.
    +    $file_paths["$path/phpcs.xml.dist"] = 403;
    +    $file_paths["$path/phpunit.xml.dist"] = 403;
    +
         // Ensure composer.json and composer.lock cannot be accessed.
         $file_paths["$path/composer.json"] = 403;
         $file_paths["$path/composer.lock"] = 403;
    
    
  • πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    I believe this should only need to focus on .htaccess since 🌱 [policy, no patch] Drop support for Windows in production Needs review has been decided.

Production build 0.71.5 2024