[D7] Prevent access to YAML files using .htaccess and web.config

Created on 13 September 2023, over 1 year ago
Updated 26 September 2023, about 1 year ago

Problem/Motivation

Currently, Apache, IIS, and any other web server, will deliver YAML (.yml) files, assuming they have not been denied at the global level. We are going to introduce new YAML (.yml) config files with GitlabCI pipelines config:

1. .gitlab-ci.yml - this file will be blocked by default, because the FilesMatch rule currently blocks files starting with dot.

2. .gitlab-ci/pipeline.yml - in case the Apache has mod_rewrite enabled, this will be blocked as well. Otherwise the file will not be blocked.

Currently the .gitlab-ci/pipeline.yml file is blocked by this rule, which will be working only in case mod_rewrite is enabled (so it is not blocked by the default FilesMatch rule):

  # Block access to "hidden" directories whose names begin with a period. This
  # includes directories used by version control systems such as Subversion or
  # Git to store control files. Files whose names begin with a period, as well
  # as the control files used by CVS, are protected by the FilesMatch directive
  # above.
  #
  # NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
  # not possible to block access to entire directories from .htaccess, because
  # <DirectoryMatch> is not allowed here.
  #
  # If you do not have mod_rewrite installed, you should remove these
  # directories from your webroot or otherwise protect them from being
  # downloaded.
  RewriteRule "/\.|^\.(?!well-known/)" - [F]

-----------

There can be concerns about possibility of determining a version if such files are accessible (see the discussion on Slack).

We should consider, if we need to add explicit .yml files protection to the FilesMatch rule and match the D10 behavior.

This can have one drawback and that is, that the rule will block all .yml files, so if someone is using uploaded YAML files in files directory, these will be blocked as well. This could be a BC break. We should consider pros/cons and if it is worth this change.

There was a broader discussion in the D8 issue #1956698: Prevent access to YAML files using .htaccess and web.config β†’ .

Proposed resolution

Decide whether to block YAML files by default or not.
If yes, upload a patch and commit.
If not, close the issue.

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

πŸ“Œ Task
Status

Closed: won't fix

Version

7.0 ⚰️

Component
BaseΒ  β†’

Last updated 2 days ago

Created by

πŸ‡ΈπŸ‡°Slovakia poker10

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

  • Issue created by @poker10
  • πŸ‡ΈπŸ‡°Slovakia poker10

    Updated the IS.

  • πŸ‡¬πŸ‡§United Kingdom mcdruid πŸ‡¬πŸ‡§πŸ‡ͺπŸ‡Ί

    Seems a bit risky to put a broad rule in place that'd block all .yml files at this stage.

    If access to the two files in question is blocked by the most common configuration (apache + mod_rewrite), and the files don't contain any sensitive information, I don't think we need to make any more changes and risk causes regressions on existing sites.

    D7 still has a CHANGELOG file etc.. so fingerprinting version information is trivial unless sites take their own measures to block access to such info. If that's the main concern around access to a file like .gitlab-ci/pipeline.yml then individual sites can add their own protection if core's .htaccess is not sufficient.

    On that basis, I think we can close this as "won't fix".

  • Status changed to Closed: won't fix about 1 year ago
  • πŸ‡ΈπŸ‡°Slovakia poker10

    Thanks! Fabianx on Slack also agreed to not block all .yml files in this D7 phase, so closing this as proposed.

Production build 0.71.5 2024