Currently, Apache, IIS, and any other web server, will deliver YAML (.yml) files, assuming they have not been denied at the global level.
In Drupal 8, YAML can contain sensitive information that may allow intruders to gain insight into a system, or outright information that may be private. This is particularly of issue since default values for variables are set in YAML now.
In Drupal 7 and earlier, this information was typically in the .info, .module, or .inc files, which were protected by the primary .htaccess from the site.
The default .htaccess and web.config files should have rules in them to deny access to YAML, by default, that are residing in the normal locations.
The files directory (or directories) should not be subject to these restrictions.
User interface changes
Original report by @alexpott
We should be preventing apache from serving YAML files as it'll be possible to get all sorts of information from them. The config directories are protected by their own .htaccess files but I don't think we should be exposing default module configuration eg. core/modules/system/config/system.site.yml or service config eg. core/lib/Drupal/Core/CoreBundle.yml (see) either.
I'm not 100% certain this is the right approach - creating this issue to track the discussion.
|#55||1956698-55.patch||2.73 KB||Gábor Hojtsy|
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 79,599 pass(es). View
|#55||interdiff.txt||1.07 KB||Gábor Hojtsy|
|#52||interdiff.txt||1.32 KB||Gábor Hojtsy|
|#52||1956698-52.patch||2.45 KB||Gábor Hojtsy|
PASSED: [[SimpleTest]]: [PHP 5.4 MySQL] 79,553 pass(es). View