From efb94e3a54a913693af46360f8ec6fd5fc7c898c Mon Sep 17 00:00:00 2001
From: xjm <xjm@65776.no-reply.drupal.org>
Date: Wed, 14 Dec 2022 20:51:17 -0600
Subject: [PATCH] Issue #3327115 by Eric_A, alexpott, xjm, longwave, pandaski:
 .htaccess rules broken since yarn.lock got added

---
 .htaccess                                                     | 2 +-
 core/assets/scaffold/files/htaccess                           | 2 +-
 core/modules/system/tests/fixtures/HtaccessTest/package.json  | 0
 core/modules/system/tests/fixtures/HtaccessTest/yarn.lock     | 0
 .../system/tests/src/Functional/System/HtaccessTest.php       | 4 ++++
 5 files changed, 6 insertions(+), 2 deletions(-)
 create mode 100644 core/modules/system/tests/fixtures/HtaccessTest/package.json
 create mode 100644 core/modules/system/tests/fixtures/HtaccessTest/yarn.lock

diff --git a/.htaccess b/.htaccess
index cf54b9b8c217..116acf42fb3c 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)|$yarn.lock$|package.json$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
diff --git a/core/assets/scaffold/files/htaccess b/core/assets/scaffold/files/htaccess
index cf54b9b8c217..116acf42fb3c 100644
--- a/core/assets/scaffold/files/htaccess
+++ b/core/assets/scaffold/files/htaccess
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)|$yarn.lock$|package.json$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/package.json b/core/modules/system/tests/fixtures/HtaccessTest/package.json
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/yarn.lock b/core/modules/system/tests/fixtures/HtaccessTest/yarn.lock
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/core/modules/system/tests/src/Functional/System/HtaccessTest.php b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
index e932fa3b348c..09046c446fc9 100644
--- a/core/modules/system/tests/src/Functional/System/HtaccessTest.php
+++ b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
@@ -91,6 +91,10 @@ protected function getProtectedFiles() {
     $file_paths["$path/composer.json"] = 403;
     $file_paths["$path/composer.lock"] = 403;
 
+    // Ensure package.json and yarn.lock cannot be accessed.
+    $file_paths["$path/package.json"] = 403;
+    $file_paths["$path/yarn.lock"] = 403;
+
     // Ensure web server configuration files cannot be accessed.
     $file_paths["$path/.htaccess"] = 403;
     $file_paths["$path/web.config"] = 403;
-- 
GitLab