Follow-up to #1956698: Prevent access to YAML files using .htaccess and web.config

Problem/Motivation

#1956698: Prevent access to YAML files using .htaccess and web.config adds test coverage to ensure that yml files cannot be accessed through the browser. It would make sense to add similar coverage for the other extensions restricted by .htaccess.

Proposed resolution

One the parent issue is committed, add additional assertions to Drupal\system\Tests\System\HtaccessTest for the other restricted file types. It might be a good idea to make a test module that includes a dummy file of each file type and use those files for the test assertions, so that the test is not coupled to other specific files that might change in the future. (This would include converting the existing assertion for core/core.services.yml to use a test YAML file.)

Remaining tasks

Contributor tasks needed
Task Novice task? Contributor instructions Complete?
Create a patch Novice Instructions
Add automated tests Novice Instructions
Review patch to ensure that it fixes the issue, stays within scope, is properly documented, and follows coding standards Novice Instructions

User interface changes

None

API changes

None

Postponed until

#1956698: Prevent access to YAML files using .htaccess and web.config

Beta phase evaluation

Reference: https://www.drupal.org/core/beta-changes
Issue category Task because this is an enhancement.
Issue priority Normal, because this is a test enhancement.
Unfrozen changes Unfrozen because it only changes automated tests.
Disruption Not disruptive for core/contributed and custom modules/themes because it is an automated test.
CommentFileSizeAuthor
#39 interdiff.txt5.25 KBeric115
#39 2332029-39.patch4.37 KBeric115
#35 interdiff.txt649 byteseric115
#35 2332029-35.patch4.37 KBeric115
#27 2332029-27.patch4.37 KBeric115
#26 2332029-26.patch4.38 KBeric115
#24 2332029-24.patch4.41 KBeric115
#22 2332029-22-FAIL.patch6.36 KBeric115
#20 2332029-20.patch5.64 KBeric115
#18 2332029-18.patch6.65 KBeric115
#15 2332029-14-FAIL.patch6.72 KBeric115
#11 2332029-11-FAIL.patch6.44 KBeric115
#11 2332029-11.patch5.42 KBeric115
#8 htaccess-test-failing-htaccess.patch2.84 KBeric115
#8 htaccess-2332029.patch1.82 KBeric115

Comments

xjm’s picture

xjm
she/her
Primary language English
commented
Component: configuration system » base system
mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
commented

Is this also going to cover the .htaccess execution prevention rules in files, tmp, and private? If so, that should be added the the summary. If not, we should clarify the title a bit.

andyceo’s picture

andyceo commented
Status: Postponed » Active

#1956698: Prevent access to YAML files using .htaccess and web.config is in, so unpostpone.

unstatu’s picture

unstatu commented
Assigned: Unassigned » unstatu

Begun in Valencia Drupal Ladder 2014

pwolanin’s picture

pwolanin commented
Assigned: unstatu » Unassigned
eric115’s picture

eric115 commented

I am happy to work on this.

eric115’s picture

eric115 commented
Assigned: Unassigned » eric115
eric115’s picture

eric115 commented
Status: Active » Needs review
StatusFileSize
new htaccess-2332029.patch1.82 KB
new htaccess-test-failing-htaccess.patch2.84 KB

Here is a patch adding tests for the files in listed in the htaccess as being excluded. I have included two files, one of which has a modified htaccess to show that the test fails when the test is able to access those files.

The last submitted patch, 8: htaccess-2332029.patch, failed testing.

Status: Needs review » Needs work

The last submitted patch, 8: htaccess-test-failing-htaccess.patch, failed testing.

eric115’s picture

eric115 commented
StatusFileSize
new 2332029-11.patch5.42 KB
new 2332029-11-FAIL.patch6.44 KB

Sorry, the patch files were missing some of the changes. These patch files have the new files created for testing access. Also changed the patch file names to follow convention better.

benjy’s picture

benjy commented
Status: Needs work » Needs review

For the bot

Status: Needs review » Needs work

The last submitted patch, 11: 2332029-11-FAIL.patch, failed testing.

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Needs work » Needs review

That was just the bot being thorough. ;)

eric115’s picture

eric115 commented
StatusFileSize
new 2332029-14-FAIL.patch6.72 KB

Not enough tests failed in test bot, this patch is just to check which tests did fail.

Status: Needs review » Needs work

The last submitted patch, 15: 2332029-14-FAIL.patch, failed testing.

cilefen’s picture

cilefen commented 
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -15,15 +15,61 @@
+    foreach($files as $file) {

This should be foreach (.

Could you fix the parameter annotation in assertNoFileAccess(). It does not include the data type. I feel this is a justified change in this issue.

  1. +++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -15,15 +15,61 @@
+    $temp_files_exts = [
+      'sw',
+      'swop',
+      'bak',
+      'orig',
+      'save'
+    ];

    I like that you differentiate files that may start with a '.'. A poorly-configured web server may let those through. Are you sure all these file types usually begin with a '.'? 

  2. +++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -15,15 +15,61 @@
+      'save'

    The code style is to put a comma here.

eric115’s picture

eric115 commented
Status: Needs work » Needs review
StatusFileSize
new 2332029-18.patch6.65 KB

Thanks for your feedback, I have made those changes in this patch. In terms of the previous "fail" patch to prove these tests work, it looks like the test bot may have another htaccess file or other apache config that is still preventing access to most of the files (despite the modified htaccess file in the "fail" patch).

EDIT: Sorry please ignore this patch file, it has htaccess modifications in it. Please see comment #20

eric115’s picture

eric115 commented
Assigned: eric115 » Unassigned
eric115’s picture

eric115 commented
StatusFileSize
new 2332029-20.patch5.64 KB

Sorry, this is the patch file without htaccess changes.

The last submitted patch, 18: 2332029-18.patch, failed testing.

eric115’s picture

eric115 commented
Issue tags: +DrupalSouth
StatusFileSize
new 2332029-22-FAIL.patch6.36 KB

Modified the htaccess to allow access to the specified files to override the htaccess on the test bot website which was previously causing conflicts.

Status: Needs review » Needs work

The last submitted patch, 22: 2332029-22-FAIL.patch, failed testing.

eric115’s picture

eric115 commented
StatusFileSize
new 2332029-24.patch4.41 KB

The test only covers files that are blocked by Drupal's htaccess that aren't temporary files (starting with a dot). I checked the default configuration on OS X, CentOs and Ubuntu and they all have IndexIgnore rules which block dot files by default.

eric115’s picture

eric115 commented
Status: Needs work » Needs review
eric115’s picture

eric115 commented
StatusFileSize
new 2332029-26.patch4.38 KB

Updated some comments to make more sense and made some other general improvements.

eric115’s picture

eric115 commented
StatusFileSize
new 2332029-27.patch4.37 KB

Modified a comment to have better wording.

benjy’s picture

benjy commented
Status: Needs review » Reviewed & tested by the community

Eric has been working on this at DrupalSouth. Patch looks good and the tests add some great value. Nice work.

cilefen’s picture

cilefen commented

@Eric115 Cool! You should get in the habit of providing interdiffs when you make changes in new patches.

cilefen’s picture

cilefen commented 
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -15,21 +15,51 @@
+   *   An array of file paths to be access tested.

"access-tested" should be hyphenated.

cilefen’s picture

cilefen commented
Issue summary: View changes

Added the beta phase evaluation, which is needed to have issues committed right now.

benjy’s picture

benjy commented

"access-tested" should be hyphenated.

Really?? Can you expand on that, I don't feel like they should be hyphenated when the nouns come first.

cilefen’s picture

cilefen commented

"Access-tested" is a compound forming two nouns into a verb. Those are hyphenated.

cilefen’s picture

cilefen commented
Status: Reviewed & tested by the community » Needs work

Let's fix that comment please.

eric115’s picture

eric115 commented
Status: Needs work » Needs review
StatusFileSize
new 2332029-35.patch4.37 KB
new interdiff.txt649 bytes

Here is the patch with the hyphen in the comment. Also I have uploaded an interdiff.

benjy’s picture

benjy commented
Status: Needs review » Reviewed & tested by the community

Looks good.

sutharsan’s picture

sutharsan commented
Issue tags: -Needs tests
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Needs work 
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.engine b/core/modules/simpletest/files/htaccessTestFiles/access_test.engine
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.inc b/core/modules/simpletest/files/htaccessTestFiles/access_test.inc
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.install b/core/modules/simpletest/files/htaccessTestFiles/access_test.install
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.make b/core/modules/simpletest/files/htaccessTestFiles/access_test.make
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.module b/core/modules/simpletest/files/htaccessTestFiles/access_test.module
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.po b/core/modules/simpletest/files/htaccessTestFiles/access_test.po
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.profile b/core/modules/simpletest/files/htaccessTestFiles/access_test.profile
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.sh b/core/modules/simpletest/files/htaccessTestFiles/access_test.sh
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.sql b/core/modules/simpletest/files/htaccessTestFiles/access_test.sql
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.theme b/core/modules/simpletest/files/htaccessTestFiles/access_test.theme
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.tpl.php b/core/modules/simpletest/files/htaccessTestFiles/access_test.tpl.php
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.twig b/core/modules/simpletest/files/htaccessTestFiles/access_test.twig
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.xtmpl b/core/modules/simpletest/files/htaccessTestFiles/access_test.xtmpl
...
diff --git a/core/modules/simpletest/files/htaccessTestFiles/access_test.yml b/core/modules/simpletest/files/htaccessTestFiles/access_test.yml
...
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php

These files belong in core/modules/system/tests/fixtures/HtaccessTest since the test is in system.

eric115’s picture

eric115 commented
Status: Needs work » Needs review
StatusFileSize
new 2332029-39.patch4.37 KB
new interdiff.txt5.25 KB

Thanks you for the feedback so far everyone.
Here is a new patch file with the files moved to core/modules/system/tests/fixtures/HtaccessTest.

benjy’s picture

benjy commented
Status: Needs review » Reviewed & tested by the community

The interdiff is missing the change to drupal_get_path() but the main patch looks good and addresses #38. Back to RTBC.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Status: Reviewed & tested by the community » Fixed

Adding test coverage is not blocked during beta. Committed 3874b0c and pushed to 8.0.x. Thanks!

  • alexpott committed 3874b0c on 8.0.x 
    Issue #2332029 by Eric115: Add test coverage for .htaccess rules

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.