Automatically closed - issue fixed for 2 weeks with no activity.
Drupal core is adding configurable CSS/JS asset paths and a new assets://
stream wrapper in
📌
Make css/js optimized assets path configurable
Fixed
. Security Review should include this as part of the default ignore list in the file permissions check.
Either patch Drupal core (if less than 10.1) using the patch found in
📌
Make css/js optimized assets path configurable
Fixed
or install Drupa core 10.1. Configure an asset path that isn't the default public files directory path, e.g. /assets/css
instead of /sites/default/files/css
. Run Security Review file permissions check. It'll see the writable asset paths as insecure even when there's an .htaccess
there to prevent PHP execution like in public files.
Add this to \Drupal\security_review\Checks\FilePermissions::getIgnoreList()
:
// If the assets stream wrapper service exists, get the assets path.
//
// @see https://www.drupal.org/project/drupal/issues/3027639
// Drupal core issue to add this. Planned to be released in Drupal core
// 10.1.
//
// @todo Inject this into the constructor?
if ($this->container->has('stream_wrapper.assets')) {
$assetsPath = $this->container->get('stream_wrapper.assets')->basePath();
$ignore[] = \realpath($assetsPath);
}
Do the above.
None?
None.
Probably none?
Fixed
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Automatically closed - issue fixed for 2 weeks with no activity.