Webserver configuration file does not block access to compressed sql files

Created on 20 October 2023, 8 months ago

Background information

security.drupal.org private issue: https://security.drupal.org/node/178555 (Included for reference. Please do not report access denied as an error.)
Originally reported by @ rhovland

Problem/Motivation

The provided .htaccess and web.config files block access to .*sql files. However mysqldump and drush can potentially create database dumps that are gzipped. And there's several other popular compression formats that a database dump may have been compressed in.

If this was the primary motivation for the block rule in these files then it needs to take into account the compressed variations of sql files too.

Example regex:
\.(.*sql)(\.zip|\.tar|\.tar\.gz|\.gz|\.7z)?$

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Contributors

- rhovland
- mlhess
- cliefen
- greggles
- catch

🐛 Bug report

Status

Active

Version

10.2 ✨

Component

Other →

Last updated about 3 hours ago

Created by

🇳🇱Netherlands dokumori Utrecht

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Comments & Activities

Issue created by @dokumori
Comment 8 months ago →
🇳🇱Netherlands dokumori Utrecht

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024