Issue #1956698 by Gábor Hojtsy, xjm, alexpott, damiankloip, mgifford: Prevent access to YAML files using .htaccess and web.config.
Nathaniel Catchpole
parent
9a19c4e419
commit
7725fcf661
|
|
@ -3,7 +3,7 @@
|
|||
#
|
||||
|
||||
# Protect files and directories from prying eyes.
|
||||
<FilesMatch "\.(engine|inc|info\.yml|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
|
||||
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
|
||||
<IfModule mod_authz_core.c>
|
||||
Require all denied
|
||||
</IfModule>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,41 @@
|
|||
<?php
|
||||
|
||||
/**
|
||||
* @file
|
||||
* Contains Drupal\system\Tests\System\HtaccessTest
|
||||
*/
|
||||
|
||||
namespace Drupal\system\Tests\System;
|
||||
|
||||
use Drupal\simpletest\WebTestBase;
|
||||
|
||||
/**
|
||||
* Tests access restrictions provided by the default .htaccess file.
|
||||
*
|
||||
* @group system
|
||||
*/
|
||||
class HtaccessTest extends WebTestBase {
|
||||
|
||||
/**
|
||||
* Tests accessing files with .yml extensions at various locations.
|
||||
*/
|
||||
public function testYamlFileAccess() {
|
||||
// Try accessing the core services YAML file.
|
||||
$this->assertNoFileAccess('core/core.services.yml');
|
||||
// Try accessing a core module YAML file.
|
||||
$this->assertNoFileAccess('core/modules/system/system.services.yml');
|
||||
}
|
||||
|
||||
/**
|
||||
* Asserts that a file exists but not accessible via HTTP.
|
||||
*
|
||||
* @param $path
|
||||
* Path to file. Without leading slash.
|
||||
*/
|
||||
protected function assertNoFileAccess($path) {
|
||||
$this->assertTrue(file_exists(DRUPAL_ROOT . '/' . $path));
|
||||
$this->drupalGet($path);
|
||||
$this->assertResponse(403);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
@ -22,7 +22,7 @@
|
|||
<rewrite>
|
||||
<rules>
|
||||
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
|
||||
<match url="\.(engine|inc|info\.yml|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
|
||||
<match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
|
||||
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
|
||||
</rule>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue