Allow vendor hardening to remove individual files

Created on 10 February 2020, over 4 years ago
Updated 19 March 2024, 3 months ago

Problem/Motivation

The drupal/core-vendor-hardening plug-in is currently limited to remove entire directories. However I can't see any reason to insist on this and it would only be a small change (in cleanPathsForPackage) to allow removing of individual files.

As an example, I would like to remove drupal/core: install.php. On our site all installs are from command line and this file opens up another possible avenue for attackers.

Steps to reproduce

"extra": {
  "drupal-core-vendor-hardening": {
  "drupal/core": ["install.php"]
  }
}

Proposed resolution

Allow the vendor hardening plugin to remove files and directories.

Remaining tasks

None

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

The Vendor Hardening Composer Plugin now allows individual files to be removed.

πŸ“Œ Task
Status

Fixed

Version

11.0 πŸ”₯

Component
ComposerΒ  β†’

Last updated about 21 hours ago

No maintainer
Created by

πŸ‡¬πŸ‡§United Kingdom AdamPS

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024