The Needs Review Queue Bot → tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
over 2 years ago 4:27am 16 February 2023 Adding the patch against Drupal 10.1.x-dev. No interdiff since the previous patch does not apply.
- Status changed to Needs work
over 2 years ago 5:29am 16 February 2023 - 🇨🇳China jungle Chongqing, China
Sass has two syntaxes! The SCSS syntax (.scss) is used most commonly. It's a superset of CSS, which means all valid CSS is also valid SCSS. The indented syntax (.sass) is more unusual: it uses indentation rather than curly braces to nest statements, and newlines instead of semicolons to separate them. All our examples are available in both syntaxes.
See https://sass-lang.com/documentation/syntax
.sassis a valid sass file extension. Meanwhile,.lessis a similar one (e.g. Less is used in Bootstrap 3)So I would suggest securing .sass and .less files as well.
- 🇨🇳China jungle Chongqing, China
Meanwhile, HtaccessTest, core/assets/scaffold/files/web.config, web.config, should be updated
- Status changed to Needs review
over 2 years ago 5:51am 16 February 2023 The last submitted patch, 23: 3190045-23.patch, failed testing. View results →
- 🇨🇳China jungle Chongqing, China
Add 3 files: access_test.scss, access_test.sass and access_test.less for testing.
- Status changed to Needs work
over 2 years ago 4:31pm 19 February 2023 - 🇨🇳China jungle Chongqing, China
Right
.pcss.css file exists in Drupal see https://api.drupal.org/api/drupal/core%21themes%21olivero%21css%21base%2...
.pcss is in use, see #3151341: Change the PostCSS file extension to pcss → - Status changed to Needs review
over 2 years ago 6:03pm 19 February 2023 - Status changed to RTBC
over 2 years ago 7:37pm 19 February 2023 - 🇺🇸United States smustgrave
Tested this on ddev, Drupal 10.1 with an apache-fpm server.
Visited https://drupal-10-x.ddev.site:8443/core/themes/claro/css/components/acti... and got an access denied. - 🇮🇳India rckstr_rohan
Reviewed Patch on #34, access has been successfully invoked, can be merged now.
- Status changed to Needs work
over 2 years ago 6:08pm 23 February 2023 The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- Status changed to Needs review
over 2 years ago 6:54pm 23 February 2023 - 🇨🇳China jungle Chongqing, China
Update
core/scripts/css/postcss-build.jsto ignorecore/modules/system/tests/fixtures/HtaccessTest/access_test.pcss.css - Status changed to Needs work
over 2 years ago 7:05pm 23 February 2023 - Status changed to Needs review
over 2 years ago 8:05pm 23 February 2023 - 🇨🇳China jungle Chongqing, China
Added a dummy comment to the
.pcss.cssfile and generated its associated.cssfile for testing. - 🇨🇳China jungle Chongqing, China
+++ b/core/assets/scaffold/files/web.config --- /dev/null +++ b/core/modules/system/tests/fixtures/HtaccessTest/access_test.css +++ b/core/modules/system/tests/fixtures/HtaccessTest/access_test.css @@ -0,0 +1,6 @@ +/* + * DO NOT EDIT THIS FILE. + * See the following change record for more information, + * https://www.drupal.org/node/3084859 + * @preserve + *//* foo */ --- /dev/null +++ b/core/modules/system/tests/fixtures/HtaccessTest/access_test.pcss.css +++ b/core/modules/system/tests/fixtures/HtaccessTest/access_test.pcss.css @@ -0,0 +1 @@ +/* foo */Changes since #34
- Status changed to RTBC
over 2 years ago 9:27pm 23 February 2023 - 🇮🇳India rckstr_rohan
Reviewed the Patch on #42, works for me, so issue noticed.thanks
The last submitted patch, 42: 3190045-41.patch, failed testing. View results →
The last submitted patch, 42: 3190045-41.patch, failed testing. View results →
- Status changed to Needs work
over 2 years ago 5:44am 29 March 2023 - 🇮🇳India rckstr_rohan
The failure occurred in the testContextualLinks function, where there was an assertion failure due to a NULL value being evaluated as empty.
- Status changed to RTBC
over 2 years ago 12:19pm 29 March 2023 The last submitted patch, 42: 3190045-41.patch, failed testing. View results →
- 🇫🇷France vbouchet
Given the previous comments and the issue reported, I think it is again random failure.
- last update
about 2 years ago Custom Commands Failed - last update
about 2 years ago Custom Commands Failed - last update
about 2 years ago Custom Commands Failed - last update
almost 2 years ago Custom Commands Failed - last update
almost 2 years ago Custom Commands Failed - last update
almost 2 years ago Custom Commands Failed - last update
almost 2 years ago Custom Commands Failed - Status changed to Needs work
almost 2 years ago 4:37pm 11 July 2023 The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
This does not mean that the patch needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.
Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.
- last update
about 1 year ago Patch Failed to Apply - last update
about 1 year ago Custom Commands Failed - 🇨🇦Canada fengtan Montreal, Canada
We are working on this issue at DrupalCon Portland 2024
- First commit to issue fork.
- Merge request !8006Issue #3190045: Block access to .scss, .sass, .less, .pcss and .pcss.css files. → (Closed) created by fengtan
- First commit to issue fork.
- 🇺🇸United States xjm
This seems like a great security improvement, but given the changes to the
.htaccess, and well-tested, but to be on the safe side I'd like a framework manager signoff on the change. Will ask about. - 🇺🇸United States xjm
OK, so it can't be empty:
[{"type":"issue","check_name":"no-empty-source","description":"Unexpected empty source (no-empty-source)","content":{"body":"Error found in no-empty-source. See https://stylelint.io/user-guide/rules/no-empty-source for more details."},"categories":["Style"],"location":{"path":"modules/system/tests/fixtures/HtaccessTest/access_test.pcss.css","lines":{"begin":1,"end":1},"positions":{"begin":{"line":1,"column":1},"end":{"line":1,"column":2}}},"severity":"major","fingerprint":"035978200c47e4bd55c604f40144ce3d"}]Going to make it say a meaningful thing instead.
- 🇺🇸United States xjm
Pushed up a revert of my bad commit and a change to the uninformative/debug-code-looking "foo" comment. Leaving RTBC since this is such a small change.
- 🇺🇸United States xjm
Committed to 11.x only as a change to site-owner-managed files.
Tagging for the release notes. I edited the change record to copy the release note, because "As title" is not actually good change record content. :D
Thanks everyone!
- 🇺🇸United States xjm
Also added the snippet to the drafts of the alpha and stable release notes for 11.3.0.
- 🇦🇺Australia mstrelan
I'm late to the party here but I'm wondering if this will impact source maps for local development if there are some configurations of postcss/sass etc that rely on browsers fetching the original source? Looks like that may be the sourcesContent option in postcss that defaults to true, so would only be affected if this had been set to false. Sass might have a similar option - https://sass-lang.com/documentation/cli/ruby-sass/#sourcemap
If we can verify that this is indeed an issue then this might warrant a CR.
- 🇺🇸United States xjm
Excellent catch, @mstrelan. Reopening for review/testing. If appropriate, we should add a bit to the existing CR and update the release notes to link it. (They didn't right now because it was 1:1.)
@mstrelan had another good thought in Slack which was:
Also if we're blocking these for security reasons, but then recommended they make sure the source is embedded in the map, then we should also recommend that the map file is not deployed to production. Maybe we should be blocking the map file too ...
So we could have a followup to add (I think)
.css.mapto the extension list as well? - 🇺🇸United States xjm
OK, I made a mistake here in that I tagged this for framework manager review because I was thinking about serving assets and the implications thereof, when in retrospect the actual correct choice would have been to tag it for frontend framework manager review because this is about access (or not) to frontend/em> assets, and (as per #79) affects the frontend developer's experience in a non-trivial way.
@nod_ also made the case that the security justification for this is very weak compared to PHP or JS sources. (For what it's worth, I mostly shrugged at the issue summary point about inline comments; I just considered it more of a "less is more" situation in terms of security hardening.) But if the security benefit is at best a marginal edgecase, while also making frontend development and debugging significantly harder, that's not a good tradeoff. It also doesn't look like anyone else is doing this.
@nod_ suggested that actually the correct course of here is to revert and wontfix. Since this is primarily a frontend framework issue, we'll do that. (The issue will remain credited, since wontfixed issues also grant credit now.)
