Contrib.social

Update FileSecurity class to copy files from scaffold directory

Open on Drupal.org →
Created on 8 June 2023, over 1 year ago

Problem/Motivation

Currently there are .htaccess and web.config files generated dynamically by \Drupal\Component\FileSecurity\FileSecurity::writeHtaccess. This means the contents of these server configuration files lives inside PHP code, which feels like the 1990s.

There are two variants, one that denies public access and one that does not. Wouldn't it be cleaner if these files lived in core/assets/scaffold/files and were simply copied to the target directories?

This would solve problems like 📌 Generated .htaccess files should have a trailing line break Postponed but also may remove the need for \Drupal\Composer\Plugin\VendorHardening\FileSecurity to exist, as per 🐛 Fix problems Vendor Hardening Plugin has with using the File Security component Fixed .

Steps to reproduce

N/A

Proposed resolution

Update \Drupal\Composer\Plugin\VendorHardening\FileSecurity::writeHtaccess to copy files from core/assets/scaffold/files.

Determine if \Drupal\Composer\Plugin\VendorHardening\FileSecurity can be removed or replaced.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

📌 Task
Status

Needs work

Version

11.0 🔥

Component
File system 

Last updated 1 day ago

Created by

🇦🇺Australia mstrelan

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @mstrelan
  • Comment over 1 year ago
    🇦🇺Australia mstrelan
  • Comment over 1 year ago
    🇦🇺Australia mstrelan
  • Open in Jenkins → Open on Drupal.org →
    Environment: PHP 8.2 & MySQL 8
    last update over 1 year ago
    Custom Commands Failed
  • @mstrelan opened merge request.
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇦🇺Australia mstrelan

    Not sure it's possible for the scaffold files to live in core/assets/scaffold as per this README in core/lib/Drupal/Component:

    Each Component should be in its own namespace, and should be as self-contained
as possible.  It should be possible to split a Component off to its own
repository and use as a stand-alone library, independently of Drupal.

    So for now I've put the files inside the component directory.

  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago
    🇦🇺Australia mstrelan

    Looks like there are a few places in core that try to read from FileSecurity::htaccessLines(). Back to NW.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024