Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #3327115 by Eric_A, alexpott, xjm, longwave, pandaski: .htaccess rules broken since yarn.lock got added

merge-requests/3108/head
xjm 2022-12-14 20:51:17 -06:00
parent 5443367eb8
commit efb94e3a54
No known key found for this signature in database
GPG Key ID: 206B0B8743BDF4C2
5 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.htaccess
View File

@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)|$yarn.lock$|package.json$">
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>

2
core/assets/scaffold/files/htaccess
View File

@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)|$yarn.lock$|package.json$">
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>

0
core/modules/system/tests/fixtures/HtaccessTest/package.json vendored Normal file
View File

0
core/modules/system/tests/fixtures/HtaccessTest/yarn.lock vendored Normal file
View File

4
core/modules/system/tests/src/Functional/System/HtaccessTest.php
View File

@ -91,6 +91,10 @@ class HtaccessTest extends BrowserTestBase {
$file_paths["$path/composer.json"] = 403;
$file_paths["$path/composer.lock"] = 403;
// Ensure package.json and yarn.lock cannot be accessed.
$file_paths["$path/package.json"] = 403;
$file_paths["$path/yarn.lock"] = 403;
// Ensure web server configuration files cannot be accessed.
$file_paths["$path/.htaccess"] = 403;
$file_paths["$path/web.config"] = 403;