From 580b4cf09ab4448d71ac35dffb803d5550ef4786 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Mon, 18 Jan 2016 14:53:59 +0000
Subject: [PATCH] Issue #2392153 by mparker17, hussainweb, chris.smith,
 alexpott, dawehner: Disallow composer.json and composer.lock from being
 indexed

---
 .htaccess                                                    | 2 +-
 core/modules/system/src/Tests/System/HtaccessTest.php        | 5 +++++
 .../modules/system/tests/fixtures/HtaccessTest/composer.json | 0
 .../modules/system/tests/fixtures/HtaccessTest/composer.lock | 0
 web.config                                                   | 2 +-
 5 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 core/modules/system/tests/fixtures/HtaccessTest/composer.json
 create mode 100644 core/modules/system/tests/fixtures/HtaccessTest/composer.lock

diff --git a/.htaccess b/.htaccess
index 01c63af981f7..974999a9c8f0 100644
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
diff --git a/core/modules/system/src/Tests/System/HtaccessTest.php b/core/modules/system/src/Tests/System/HtaccessTest.php
index 0165f196b2d2..86563a4d619a 100644
--- a/core/modules/system/src/Tests/System/HtaccessTest.php
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -86,6 +86,11 @@ protected function getProtectedFiles() {
     foreach ($file_exts_to_allow as $file_ext) {
       $file_paths["$path/access_test.$file_ext"] = 200;
     }
+
+    // Ensure composer.json and composer.lock cannot be accessed.
+    $file_paths["$path/composer.json"] = 403;
+    $file_paths["$path/composer.lock"] = 403;
+
     return $file_paths;
   }
 
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/composer.json b/core/modules/system/tests/fixtures/HtaccessTest/composer.json
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/composer.lock b/core/modules/system/tests/fixtures/HtaccessTest/composer.lock
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/web.config b/web.config
index 782d4ae50d3b..a0535a10db23 100644
--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock))$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>
 
-- 
GitLab