From 2233484fbaabe30ecda8c15c49fed138b255be63 Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Thu, 17 Nov 2022 16:56:43 +0000
Subject: [PATCH] Issue #3308369 by JeroenT, cilefen: Block access to yarn.lock
and package.json
---
.htaccess | 2 +-
core/assets/scaffold/files/htaccess | 2 +-
core/assets/scaffold/files/web.config | 2 +-
web.config | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/.htaccess b/.htaccess
index 28f04c56f534..cf54b9b8c217 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)|$yarn.lock$|package.json$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
diff --git a/core/assets/scaffold/files/htaccess b/core/assets/scaffold/files/htaccess
index 28f04c56f534..cf54b9b8c217 100644
--- a/core/assets/scaffold/files/htaccess
+++ b/core/assets/scaffold/files/htaccess
@@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)|$yarn.lock$|package.json$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
diff --git a/core/assets/scaffold/files/web.config b/core/assets/scaffold/files/web.config
index 79a0433c9d9d..b769e45e3699 100644
--- a/core/assets/scaffold/files/web.config
+++ b/core/assets/scaffold/files/web.config
@@ -22,7 +22,7 @@
<rewrite>
<rules>
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
- <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess)$" />
+ <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule>
diff --git a/web.config b/web.config
index 79a0433c9d9d..b769e45e3699 100644
--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
<rewrite>
<rules>
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
- <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess)$" />
+ <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule>
--
GitLab