From 7725fcf661f192582d15d8feda956ad0340fcfb4 Mon Sep 17 00:00:00 2001
From: Nathaniel Catchpole <catch@35733.no-reply.drupal.org>
Date: Thu, 23 Oct 2014 12:37:02 +0100
Subject: [PATCH] =?UTF-8?q?Issue=20#1956698=20by=20G=C3=A1bor=20Hojtsy,=20?=
=?UTF-8?q?xjm,=20alexpott,=20damiankloip,=20mgifford:=20Prevent=20access?=
=?UTF-8?q?=20to=20YAML=20files=20using=20.htaccess=20and=20web.config.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.htaccess | 2 +-
.../system/src/Tests/System/HtaccessTest.php | 41 +++++++++++++++++++
web.config | 2 +-
3 files changed, 43 insertions(+), 2 deletions(-)
create mode 100644 core/modules/system/src/Tests/System/HtaccessTest.php
diff --git a/.htaccess b/.htaccess
index 0ad7be304817..5248bd85d619 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info\.yml|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
diff --git a/core/modules/system/src/Tests/System/HtaccessTest.php b/core/modules/system/src/Tests/System/HtaccessTest.php
new file mode 100644
index 000000000000..29f133d93906
--- /dev/null
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -0,0 +1,41 @@
+<?php
+
+/**
+ * @file
+ * Contains Drupal\system\Tests\System\HtaccessTest
+ */
+
+namespace Drupal\system\Tests\System;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests access restrictions provided by the default .htaccess file.
+ *
+ * @group system
+ */
+class HtaccessTest extends WebTestBase {
+
+ /**
+ * Tests accessing files with .yml extensions at various locations.
+ */
+ public function testYamlFileAccess() {
+ // Try accessing the core services YAML file.
+ $this->assertNoFileAccess('core/core.services.yml');
+ // Try accessing a core module YAML file.
+ $this->assertNoFileAccess('core/modules/system/system.services.yml');
+ }
+
+ /**
+ * Asserts that a file exists but not accessible via HTTP.
+ *
+ * @param $path
+ * Path to file. Without leading slash.
+ */
+ protected function assertNoFileAccess($path) {
+ $this->assertTrue(file_exists(DRUPAL_ROOT . '/' . $path));
+ $this->drupalGet($path);
+ $this->assertResponse(403);
+ }
+
+}
diff --git a/web.config b/web.config
index b71c37cdcb7a..b072d9b02db2 100644
--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
<rewrite>
<rules>
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
- <match url="\.(engine|inc|info\.yml|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
+ <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule>
--
GitLab