Contrib.social

Clean up .htaccess and web.config file protection

Open on Drupal.org →
Created on 29 November 2018, almost 6 years ago
Updated 30 January 2023, almost 2 years ago

Problem/Motivation

Drupal's .htaccess and web.config files provide reasonable protection for sensitive files from prying eyes. There is FilesMatch (Apache) and a rewrite rule (IIS) that block accessing certain files based on a file name match. Looking at the history of the file over time, we only kept adding new patterns but never cleaned them up.

They provide protection for:
- Accessing PHP files directly via the web server (module, install, inc, profile, etc).
- Accessing sensitive static files (twig, yml, po, composer.json, composer.lock, etc).
- Access said files as temporary edit files of Vim and emacs (swo, swp, ~, etc).
- Patch residue (.bak, .orig, #foo.php#, etc).

Among these rules, there are some out dated rules such as code-style.pl that are no longer relevant (code-style.pl was removed many years ago).

The regular expression is getting difficult to read and there are some improvements that we can (micro) optimize.

Proposed resolution

Evaluate the current list of rewrite rules. Remove the ones that we no longer need, and combine/optimize them.

Remaining tasks

* Discuss on the components to remove as they are no longer necessary.
* Optimize the rewrite rules to adapt to modern directory structures (.well-known directory is excluded from ^\..* matching for example)
* Optimize the regular expression with non capturing group.
* Discuss to change the order of rewrite rules to make them easier to read (file extensions, followed by exact file names, followed by dot files, followed by edit/patch residue, etc).
* Remove file patterns that we block, but are no longer relevant. For example, SVN-related file matches are not necessary because a parent level dot-directory match will block them. Other than that, Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format seems to have survived from early as 2003, but I couldn't find concrete evidence why they should be blocked, considering we block the .svn directory they are contained in.
* Update .htaccess and web.config configuration.
* Update nginx and other web server documentation as necessary.

User interface changes

None.

API changes

None.
The release notes will need to say that we updated the .htaccess file, and the tests need to be updated of course. No other API changes.

Data model changes

None.

📌 Task
Status

Needs work

Version

10.1

Component
Other 

Last updated about 4 hours ago

Created by

🇱🇰Sri Lanka Ayesh Everywhere

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago
    needs-review-queue-bot

    The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024