- πΊπΈUnited States smustgrave
Comparing #36 and #35 seems we lost some test coverage for
+ // Ensure package.json and yarn.lock cannot be accessed.
+ $file_paths["$path/package.json"] = 403;
+ $file_paths["$path/yarn.lock"] = 403;
+Is there a new way for testing that in D10 and that's why it was removed?
- Status changed to Needs review
almost 2 years ago 12:54am 3 February 2023 - π―π΅Japan eleonel Itoshima π―π΅
Hi @smustgrave
I remove them from the patch because we already have those lines one D10:
- Status changed to RTBC
almost 2 years ago 1:11am 3 February 2023 - πΊπΈUnited States smustgrave
Cool in that case think what we have here is fine.
- Status changed to Needs work
almost 2 years ago 10:52am 6 March 2023 - πͺπΈSpain tunic Madrid
Thanks to all the people working in this.
I wanted to use this fix but the patch can't be use directly in composer. For example, if you add the patch from #36 to the patches section in composer.json composer is not able to patch drupal core because it can't find the files to patch. I think this is because the drupal/core project has a special treatment in composer.json (paths and so).
To make it work with a project using composer you have to modify the patch. I'm adding here the patch I'musing as text (based on #36), so it is not tested by the test run avoiding introducing noise to the issue. This is to help any other people that wants this functionality in their project.
Let me be clear about this: the following patch is for people that want to integrate this fix in a Drupal project manged by composer, this patch is not intended to be committed.
diff --git a/assets/scaffold/files/htaccess b/assets/scaffold/files/htaccess index 116acf42fb..a46e1a871d 100644 --- a/assets/scaffold/files/htaccess +++ b/assets/scaffold/files/htaccess @@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes. -<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$"> +<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|phpcs\.xml\.dist|phpunit\.xml\.dist)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$"> <IfModule mod_authz_core.c> Require all denied </IfModule> diff --git a/assets/scaffold/files/web.config b/assets/scaffold/files/web.config index b769e45e36..113ffc0201 100644 --- a/assets/scaffold/files/web.config +++ b/assets/scaffold/files/web.config @@ -22,7 +22,7 @@ <rewrite> <rules> <rule name="Protect files and directories from prying eyes" stopProcessing="true"> - <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" /> + <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn\.lock|package\.json|phpcs\.xml\.dist|phpunit\.xml\.dist)$" /> <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." /> </rule> diff --git a/modules/system/tests/fixtures/HtaccessTest/phpcs.xml.dist b/modules/system/tests/fixtures/HtaccessTest/phpcs.xml.dist new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/system/tests/fixtures/HtaccessTest/phpunit.xml.dist b/modules/system/tests/fixtures/HtaccessTest/phpunit.xml.dist new file mode 100644 index 0000000000..e69de29bb2 diff --git a/modules/system/tests/src/Functional/System/HtaccessTest.php b/modules/system/tests/src/Functional/System/HtaccessTest.php index 09046c446f..711ef5d042 100644 --- a/modules/system/tests/src/Functional/System/HtaccessTest.php +++ b/modules/system/tests/src/Functional/System/HtaccessTest.php @@ -87,6 +87,10 @@ protected function getProtectedFiles() { $file_paths["$path/access_test.$file_ext"] = 200; } + // Ensure development files cannot be accessed. + $file_paths["$path/phpcs.xml.dist"] = 403; + $file_paths["$path/phpunit.xml.dist"] = 403; + // Ensure composer.json and composer.lock cannot be accessed. $file_paths["$path/composer.json"] = 403; $file_paths["$path/composer.lock"] = 403;
- πΊπΈUnited States greggles Denver, Colorado, USA
I believe this should only need to focus on .htaccess since π± [policy, no patch] Drop support for Windows in production Needs review has been decided.