Update FileSecurity class to copy files from scaffold directory

Open on Drupal.org →

Created on 8 June 2023, almost 2 years ago

Problem/Motivation

Currently there are .htaccess and web.config files generated dynamically by \Drupal\Component\FileSecurity\FileSecurity::writeHtaccess. This means the contents of these server configuration files lives inside PHP code, which feels like the 1990s.

There are two variants, one that denies public access and one that does not. Wouldn't it be cleaner if these files lived in core/assets/scaffold/files and were simply copied to the target directories?

This would solve problems like 📌 Generated .htaccess files should have a trailing line break Postponed but also may remove the need for \Drupal\Composer\Plugin\VendorHardening\FileSecurity to exist, as per 🐛 Fix problems Vendor Hardening Plugin has with using the File Security component Fixed .

Steps to reproduce

N/A

Proposed resolution

Update \Drupal\Composer\Plugin\VendorHardening\FileSecurity::writeHtaccess to copy files from core/assets/scaffold/files.

Determine if \Drupal\Composer\Plugin\VendorHardening\FileSecurity can be removed or replaced.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

📌 Task

Status

Needs work

Version

11.0 🔥

Component

File system →

Last updated about 4 hours ago

Maintained by
🇦🇺Australia @kim.pepper

Created by

🇦🇺Australia mstrelan

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Comments & Activities

Issue created by @mstrelan
Comment almost 2 years ago →
🇦🇺Australia mstrelan
Comment almost 2 years ago →
🇦🇺Australia mstrelan
Open in Jenkins → Open on Drupal.org →
Environment: PHP 8.2 & MySQL 8
last update almost 2 years ago
Custom Commands Failed
@mstrelan opened merge request.
Status changed to Needs review almost 2 years ago6:03am 8 June 2023
Comment almost 2 years ago →
🇦🇺Australia mstrelan
Not sure it's possible for the scaffold files to live in core/assets/scaffold as per this README in core/lib/Drupal/Component:

Each Component should be in its own namespace, and should be as self-contained as possible. It should be possible to split a Component off to its own repository and use as a stand-alone library, independently of Drupal.
So for now I've put the files inside the component directory.
Status changed to Needs work almost 2 years ago6:19am 8 June 2023
Comment almost 2 years ago →
🇦🇺Australia mstrelan
Looks like there are a few places in core that try to read from FileSecurity::htaccessLines(). Back to NW.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024