Issue #3437335 by fromme, catch: Remove web.config from 11.x

composer.lock

@@ -495,7 +495,7 @@
             "dist": {
                 "type": "path",
                 "url": "core",
-                "reference": "1271fe53d733e84423b9a824ad5ca7b145db096d"
+                "reference": "c02a5aeb8449c7bf2c4a4f5bcf2898ea97e8e923"
             },
             "require": {
                 "asm89/stack-cors": "^2.1",
@@ -592,7 +592,6 @@
                         "[web-root]/README.md": "assets/scaffold/files/drupal.README.md",
                         "[web-root]/robots.txt": "assets/scaffold/files/robots.txt",
                         "[web-root]/update.php": "assets/scaffold/files/update.php",
-                        "[web-root]/web.config": "assets/scaffold/files/web.config",
                         "[web-root]/sites/README.txt": "assets/scaffold/files/sites.README.txt",
                         "[web-root]/sites/development.services.yml": "assets/scaffold/files/development.services.yml",
                         "[web-root]/sites/example.settings.local.php": "assets/scaffold/files/example.settings.local.php",

composer/Plugin/Scaffold/README.md

@@ -450,7 +450,6 @@ Sample composer.json for composer-scaffold files in drupal/assets:
         "[web-root]/index.php": "assets/index.php",
         "[web-root]/robots.txt": "assets/robots.txt",
         "[web-root]/update.php": "assets/update.php",
-        "[web-root]/web.config": "assets/web.config"
       }
     }
   }

composer/Plugin/VendorHardening/FileSecurity.php

@@ -100,39 +100,6 @@ EOF;
 EOF;
   }
 
-  /**
-   * Writes a web.config file in the given directory, if it doesn't exist.
-   *
-   * @param string $directory
-   *   The directory.
-   * @param bool $force
-   *   (optional) Set to TRUE to force overwrite an existing file.
-   *
-   * @return bool
-   *   TRUE if the file already exists or was created. FALSE otherwise.
-   */
-  public static function writeWebConfig($directory, $force = FALSE) {
-    return self::writeFile($directory, 'web.config', self::webConfigLines(), $force);
-  }
-
-  /**
-   * Returns the standard web.config lines for security.
-   *
-   * @return string
-   *   The contents of the web.config file.
-   */
-  public static function webConfigLines() {
-    return <<<EOT
-<configuration>
-  <system.webServer>
-    <authorization>
-      <deny users="*">
-    </authorization>
-  </system.webServer>
-</configuration>
-EOT;
-  }
-
   /**
    * Writes the contents to the file in the given directory.
    *

composer/Plugin/VendorHardening/README.txt

@@ -35,9 +35,9 @@ This plugin can also clean up packages that were installed outside of the
 vendor directory, using composer/installers. This allows users to configure the
 plugin to clean up, for instance, Drupal extensions and Drupal core.
 
-2) The plugin also adds .htaccess and web.config files to the root of the
-project's vendor directory. These files will perform due diligence to keep the
-web server from serving files from within the vendor directory.
+2) The plugin also adds .htaccess file to the root of the
+project's vendor directory. The file will perform due diligence to keep the
+web server from serving file from within the vendor directory.
 
 How do I set it up?
 -------------------

composer/Plugin/VendorHardening/VendorHardeningPlugin.php

@@ -370,18 +370,15 @@ class VendorHardeningPlugin implements PluginInterface, EventSubscriberInterface
   }
 
   /**
-   * Place .htaccess and web.config files into the vendor directory.
+   * Place .htaccess file into the vendor directory.
    *
    * @param string $vendor_dir
    *   Path to vendor directory.
    */
   public function writeAccessRestrictionFiles(string $vendor_dir): void {
-    $this->io->writeError('<info>Hardening vendor directory with .htaccess and web.config files.</info>');
+    $this->io->writeError('<info>Hardening vendor directory with .htaccess file.</info>');
     // Prevent access to vendor directory on Apache servers.
     FileSecurity::writeHtaccess($vendor_dir, TRUE);
-
-    // Prevent access to vendor directory on IIS servers.
-    FileSecurity::writeWebConfig($vendor_dir);
   }
 
 }

core/assets/scaffold/files/robots.txt

@@ -46,7 +46,6 @@ Disallow: /composer/Template/README.txt
 Disallow: /modules/README.txt
 Disallow: /sites/README.txt
 Disallow: /themes/README.txt
-Disallow: /web.config
 # Paths (clean URLs)
 Disallow: /admin/
 Disallow: /comment/reply/

core/assets/scaffold/files/web.config

@@ -1,91 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration>
-  <system.webServer>
-    <!-- Don't show directory listings for URLs which map to a directory. -->
-    <directoryBrowse enabled="false" />
-
-    <!--
-       Caching configuration was not delegated by default. Some hosters may not
-       delegate the caching configuration to site owners by default and that
-       may cause errors when users install. Uncomment this if you want to and
-       are allowed to enable caching.
-     -->
-    <!--
-    <caching>
-      <profiles>
-        <add extension=".php" policy="DisableCache" kernelCachePolicy="DisableCache" />
-        <add extension=".html" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="14:00:00" />
-      </profiles>
-    </caching>
-     -->
-
-    <rewrite>
-      <rules>
-        <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
-          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
-        </rule>
-
-        <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
-          <match url="favicon\.ico" />
-          <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
-          <conditions>
-            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
-          </conditions>
-        </rule>
-    <!-- To redirect all users to access the site WITH the 'www.' prefix,
-     http://example.com/foo will be redirected to http://www.example.com/foo)
-     adapt and uncomment the following:   -->
-    <!--
-        <rule name="Redirect to add www" stopProcessing="true">
-          <match url="^(.*)$" ignoreCase="false" />
-          <conditions>
-            <add input="{HTTP_HOST}" pattern="^example\.com$" />
-          </conditions>
-          <action type="Redirect" redirectType="Permanent" url="http://www.example.com/{R:1}" />
-        </rule>
-    -->
-
-    <!-- To redirect all users to access the site WITHOUT the 'www.' prefix,
-     http://www.example.com/foo will be redirected to http://example.com/foo)
-     adapt and uncomment the following:   -->
-    <!--
-        <rule name="Redirect to remove www" stopProcessing="true">
-          <match url="^(.*)$" ignoreCase="false" />
-          <conditions>
-            <add input="{HTTP_HOST}" pattern="^www\.example\.com$" />
-          </conditions>
-          <action type="Redirect" redirectType="Permanent" url="http://example.com/{R:1}" />
-        </rule>
-    -->
-
-        <!-- Pass all requests not referring directly to files in the filesystem
-         to index.php. -->
-        <rule name="Short URLS" stopProcessing="true">
-          <match url="^(.*)$" ignoreCase="false" />
-          <conditions>
-            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
-            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
-            <add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
-          </conditions>
-          <action type="Rewrite" url="index.php" />
-        </rule>
-      </rules>
-    </rewrite>
-
-  <!-- If running Windows Server 2008 R2 this can be commented out -->
-    <!-- httpErrors>
-      <remove statusCode="404" subStatusCode="-1" />
-      <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
-    </httpErrors -->
-
-    <defaultDocument>
-     <!-- Set the default document -->
-      <files>
-         <clear />
-        <add value="index.php" />
-      </files>
-    </defaultDocument>
-
-  </system.webServer>
-</configuration>

core/composer.json

@@ -135,7 +135,6 @@
                 "[web-root]/README.md": "assets/scaffold/files/drupal.README.md",
                 "[web-root]/robots.txt": "assets/scaffold/files/robots.txt",
                 "[web-root]/update.php": "assets/scaffold/files/update.php",
-                "[web-root]/web.config": "assets/scaffold/files/web.config",
                 "[web-root]/sites/README.txt": "assets/scaffold/files/sites.README.txt",
                 "[web-root]/sites/development.services.yml": "assets/scaffold/files/development.services.yml",
                 "[web-root]/sites/example.settings.local.php": "assets/scaffold/files/example.settings.local.php",

core/lib/Drupal/Component/FileSecurity/FileSecurity.php

@@ -98,39 +98,6 @@ EOF;
 EOF;
   }
 
-  /**
-   * Writes a web.config file in the given directory, if it doesn't exist.
-   *
-   * @param string $directory
-   *   The directory.
-   * @param bool $force
-   *   (optional) Set to TRUE to force overwrite an existing file.
-   *
-   * @return bool
-   *   TRUE if the file already exists or was created. FALSE otherwise.
-   */
-  public static function writeWebConfig($directory, $force = FALSE) {
-    return self::writeFile($directory, 'web.config', self::webConfigLines(), $force);
-  }
-
-  /**
-   * Returns the standard web.config lines for security.
-   *
-   * @return string
-   *   The contents of the web.config file.
-   */
-  public static function webConfigLines() {
-    return <<<EOT
-<configuration>
-  <system.webServer>
-    <authorization>
-      <deny users="*">
-    </authorization>
-  </system.webServer>
-</configuration>
-EOT;
-  }
-
   /**
    * Writes the contents to the file in the given directory.
    *

core/modules/system/tests/src/Functional/System/HtaccessTest.php

@@ -99,7 +99,6 @@ class HtaccessTest extends BrowserTestBase {
 
     // Ensure web server configuration files cannot be accessed.
     $file_paths["$path/.htaccess"] = 403;
-    $file_paths["$path/web.config"] = 403;
 
     return $file_paths;
   }

core/tests/Drupal/Tests/Component/FileSecurity/FileSecurityTest.php

@@ -63,36 +63,4 @@ class FileSecurityTest extends TestCase {
     $this->assertFalse(FileSecurity::writeHtaccess(vfsStream::url('root') . '/foo'));
   }
 
-  /**
-   * @covers ::writeWebConfig
-   */
-  public function testWriteWebConfig() {
-    vfsStream::setup('root');
-    $this->assertTrue(FileSecurity::writeWebConfig(vfsStream::url('root')));
-    $web_config_file = vfsStream::url('root') . '/web.config';
-    $this->assertFileExists($web_config_file);
-    $this->assertEquals('0444', substr(sprintf('%o', fileperms($web_config_file)), -4));
-  }
-
-  /**
-   * @covers ::writeWebConfig
-   */
-  public function testWriteWebConfigForceOverwrite() {
-    vfsStream::setup('root');
-    $web_config_file = vfsStream::url('root') . '/web.config';
-    file_put_contents($web_config_file, "foo");
-    $this->assertTrue(FileSecurity::writeWebConfig(vfsStream::url('root'), TRUE));
-    $this->assertFileExists($web_config_file);
-    $this->assertEquals('0444', substr(sprintf('%o', fileperms($web_config_file)), -4));
-    $this->assertStringNotContainsString("foo", $web_config_file);
-  }
-
-  /**
-   * @covers ::writeWebConfig
-   */
-  public function testWriteWebConfigFailure() {
-    vfsStream::setup('root');
-    $this->assertFalse(FileSecurity::writeWebConfig(vfsStream::url('root') . '/foo'));
-  }
-
 }

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/Functional/ManageGitIgnoreTest.php

@@ -127,7 +127,6 @@ class ManageGitIgnoreTest extends TestCase {
 /index.php
 /robots.txt
 /update.php
-/web.config
 EOT;
     // At this point we should have a .gitignore file, because although we did
     // not explicitly ask for .gitignore tracking, the vendor directory is not
@@ -242,7 +241,6 @@ Scaffolding files for fixtures/drupal-assets-fixture:
   - Copy [web-root]/index.php from assets/index.php
   - Skip [web-root]/robots.txt: overridden in fixtures/drupal-composer-drupal-project
   - Copy [web-root]/update.php from assets/update.php
-  - Copy [web-root]/web.config from assets/web.config
 Scaffolding files for fixtures/scaffold-override-fixture:
   - Copy [web-root]/sites/default/default.settings.php from assets/override-settings.php
 Scaffolding files for fixtures/drupal-composer-drupal-project:

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/Functional/ScaffoldTest.php

@@ -408,7 +408,6 @@ include __DIR__ . "/settings-custom-additions.php";',
     $this->assertScaffoldedFile($docroot . '/sites/example.sites.php', $is_link, 'Test version of example.sites.php from drupal/core.');
     $this->assertScaffoldedFile($docroot . '/index.php', $is_link, 'Test version of index.php from drupal/core.');
     $this->assertScaffoldedFile($docroot . '/update.php', $is_link, 'Test version of update.php from drupal/core.');
-    $this->assertScaffoldedFile($docroot . '/web.config', $is_link, 'Test version of web.config from drupal/core.');
   }
 
   /**

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/fixtures/README.md

@@ -30,7 +30,6 @@ Scaffolding files for fixtures/drupal-assets-fixture:
   - Link [web-root]/index.php from assets/index.php
   - Skip [web-root]/robots.txt: overridden in my/project
   - Link [web-root]/update.php from assets/update.php
-  - Link [web-root]/web.config from assets/web.config
 Scaffolding files for fixtures/scaffold-override-fixture:
   - Link [web-root]/sites/default/default.settings.php from assets/override-settings.php
 Scaffolding files for my/project:

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/fixtures/drupal-assets-fixture/assets/web.config

@@ -1,2 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!-- Test version of web.config from drupal/core. -->

core/tests/Drupal/Tests/Composer/Plugin/Scaffold/fixtures/drupal-assets-fixture/composer.json

@@ -16,8 +16,7 @@
         "[web-root]/sites/example.sites.php": "assets/example.sites.php",
         "[web-root]/index.php": "assets/index.php",
         "[web-root]/robots.txt": "assets/robots.txt",
-        "[web-root]/update.php": "assets/update.php",
-        "[web-root]/web.config": "assets/web.config"
+        "[web-root]/update.php": "assets/update.php"
       }
     }
   }

core/tests/Drupal/Tests/Composer/Plugin/VendorHardening/VendorHardeningPluginTest.php

@@ -166,12 +166,10 @@ class VendorHardeningPluginTest extends TestCase {
     $this->assertDirectoryExists($dir);
 
     $this->assertFileDoesNotExist($dir . '/.htaccess');
-    $this->assertFileDoesNotExist($dir . '/web.config');
 
     $plugin->writeAccessRestrictionFiles($dir);
 
     $this->assertFileExists($dir . '/.htaccess');
-    $this->assertFileExists($dir . '/web.config');
   }
 
   public static function providerFindBinOverlap() {

core/tests/Drupal/Tests/ComposerIntegrationTest.php

@@ -150,7 +150,6 @@ class ComposerIntegrationTest extends UnitTestCase {
       ['README.md', 'assets/scaffold/files/drupal.README.md'],
       ['robots.txt', 'assets/scaffold/files/robots.txt'],
       ['update.php', 'assets/scaffold/files/update.php'],
-      ['web.config', 'assets/scaffold/files/web.config'],
       ['sites/README.txt', 'assets/scaffold/files/sites.README.txt'],
       ['sites/development.services.yml', 'assets/scaffold/files/development.services.yml'],
       ['sites/example.settings.local.php', 'assets/scaffold/files/example.settings.local.php'],

robots.txt

@@ -46,7 +46,6 @@ Disallow: /composer/Template/README.txt
 Disallow: /modules/README.txt
 Disallow: /sites/README.txt
 Disallow: /themes/README.txt
-Disallow: /web.config
 # Paths (clean URLs)
 Disallow: /admin/
 Disallow: /comment/reply/

web.config

@@ -1,91 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<configuration>
-  <system.webServer>
-    <!-- Don't show directory listings for URLs which map to a directory. -->
-    <directoryBrowse enabled="false" />
-
-    <!--
-       Caching configuration was not delegated by default. Some hosters may not
-       delegate the caching configuration to site owners by default and that
-       may cause errors when users install. Uncomment this if you want to and
-       are allowed to enable caching.
-     -->
-    <!--
-    <caching>
-      <profiles>
-        <add extension=".php" policy="DisableCache" kernelCachePolicy="DisableCache" />
-        <add extension=".html" policy="CacheForTimePeriod" kernelCachePolicy="CacheForTimePeriod" duration="14:00:00" />
-      </profiles>
-    </caching>
-     -->
-
-    <rewrite>
-      <rules>
-        <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
-          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
-        </rule>
-
-        <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
-          <match url="favicon\.ico" />
-          <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
-          <conditions>
-            <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
-          </conditions>
-        </rule>
-    <!-- To redirect all users to access the site WITH the 'www.' prefix,
-     http://example.com/foo will be redirected to http://www.example.com/foo)
-     adapt and uncomment the following:   -->
-    <!--
-        <rule name="Redirect to add www" stopProcessing="true">
-          <match url="^(.*)$" ignoreCase="false" />
-          <conditions>
-            <add input="{HTTP_HOST}" pattern="^example\.com$" />
-          </conditions>
-          <action type="Redirect" redirectType="Permanent" url="http://www.example.com/{R:1}" />
-        </rule>
-    -->
-
-    <!-- To redirect all users to access the site WITHOUT the 'www.' prefix,
-     http://www.example.com/foo will be redirected to http://example.com/foo)
-     adapt and uncomment the following:   -->
-    <!--
-        <rule name="Redirect to remove www" stopProcessing="true">
-          <match url="^(.*)$" ignoreCase="false" />
-          <conditions>
-            <add input="{HTTP_HOST}" pattern="^www\.example\.com$" />
-          </conditions>
-          <action type="Redirect" redirectType="Permanent" url="http://example.com/{R:1}" />
-        </rule>
-    -->
-
-        <!-- Pass all requests not referring directly to files in the filesystem
-         to index.php. -->
-        <rule name="Short URLS" stopProcessing="true">
-          <match url="^(.*)$" ignoreCase="false" />
-          <conditions>
-            <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
-            <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
-            <add input="{URL}" pattern="^/favicon.ico$" ignoreCase="false" negate="true" />
-          </conditions>
-          <action type="Rewrite" url="index.php" />
-        </rule>
-      </rules>
-    </rewrite>
-
-  <!-- If running Windows Server 2008 R2 this can be commented out -->
-    <!-- httpErrors>
-      <remove statusCode="404" subStatusCode="-1" />
-      <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
-    </httpErrors -->
-
-    <defaultDocument>
-     <!-- Set the default document -->
-      <files>
-         <clear />
-        <add value="index.php" />
-      </files>
-    </defaultDocument>
-
-  </system.webServer>
-</configuration>