Commit 7725fcf6 authored by catch's avatar catch

Issue #1956698 by Gábor Hojtsy, xjm, alexpott, damiankloip, mgifford: Prevent...

Issue #1956698 by Gábor Hojtsy, xjm, alexpott, damiankloip, mgifford: Prevent access to YAML files using .htaccess and web.config.
parent 9a19c4e4
......@@ -3,7 +3,7 @@
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info\.yml|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
......
<?php
/**
* @file
* Contains Drupal\system\Tests\System\HtaccessTest
*/
namespace Drupal\system\Tests\System;
use Drupal\simpletest\WebTestBase;
/**
* Tests access restrictions provided by the default .htaccess file.
*
* @group system
*/
class HtaccessTest extends WebTestBase {
/**
* Tests accessing files with .yml extensions at various locations.
*/
public function testYamlFileAccess() {
// Try accessing the core services YAML file.
$this->assertNoFileAccess('core/core.services.yml');
// Try accessing a core module YAML file.
$this->assertNoFileAccess('core/modules/system/system.services.yml');
}
/**
* Asserts that a file exists but not accessible via HTTP.
*
* @param $path
* Path to file. Without leading slash.
*/
protected function assertNoFileAccess($path) {
$this->assertTrue(file_exists(DRUPAL_ROOT . '/' . $path));
$this->drupalGet($path);
$this->assertResponse(403);
}
}
......@@ -22,7 +22,7 @@
<rewrite>
<rules>
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
<match url="\.(engine|inc|info\.yml|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
<match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
<action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
</rule>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment