Commit 534fe84b authored by catch's avatar catch

Issue #2508591 by timmillwood, alexpott, chx, pwolanin: vendor/ is web accessible

parent 848d6b8e
......@@ -145,6 +145,7 @@
"autoloader-suffix": "Drupal8"
},
"scripts": {
"pre-autoload-dump": "Drupal\\Core\\Composer\\Composer::preAutoloadDump"
"pre-autoload-dump": "Drupal\\Core\\Composer\\Composer::preAutoloadDump",
"post-autoload-dump": "Drupal\\Core\\Composer\\Composer::ensureHtaccess"
}
}
......@@ -106,8 +106,8 @@ public static function htaccessLines($private = TRUE) {
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
EOF
. $lines;
$lines
EOF;
}
return $lines;
......
......@@ -7,6 +7,7 @@
namespace Drupal\Core\Composer;
use Drupal\Component\PhpStorage\FileStorage;
use Composer\Script\Event;
/**
......@@ -36,4 +37,37 @@ public static function preAutoloadDump(Event $event) {
$package->setAutoload($autoload);
}
/**
* Ensures that .htaccess and web.config files are present in Composer root.
*
* @param \Composer\Script\Event $event
*/
public static function ensureHtaccess(Event $event) {
// The current working directory for composer scripts is where you run
// composer from.
$vendor_dir = $event->getComposer()->getConfig()->get('vendor-dir');
// Prevent access to vendor directory on Apache servers.
$htaccess_file = $vendor_dir . '/.htaccess';
if (!file_exists($htaccess_file)) {
file_put_contents($htaccess_file, FileStorage::htaccessLines(TRUE) . "\n");
}
// Prevent access to vendor directory on IIS servers.
$webconfig_file = $vendor_dir . '/web.config';
if (!file_exists($webconfig_file)) {
$lines = <<<EOT
<configuration>
<system.webServer>
<authorization>
<deny users="*">
</authorization>
</system.webServer>
</configuration>
EOT;
file_put_contents($webconfig_file, $lines . "\n");
}
}
}
......@@ -44,6 +44,9 @@ protected function getProtectedFiles() {
$file_paths[] = "$path/access_test.$file_ext";
}
// Try and access a non PHP file in the vendor directory.
$file_paths[] = 'core/vendor/composer/installed.json';
return $file_paths;
}
......
# Deny all requests from Apache 2.4+.
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Deny all requests from Apache 2.0-2.2.
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
<configuration>
<system.webServer>
<authorization>
<deny users="*">
</authorization>
</system.webServer>
</configuration>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment