Problem/Motivation
Currently, when building a Drupal website, you can visit core/package.json and core/yarn.lock, which exposes some info about the used versions.
Steps to reproduce
Visit a random Drupal 9 website and go to /core/package.json or /core/yarn.lock. You can now see the content of those 2 files.
Proposed resolution
Block access to those files in .htaccess.
Remaining tasks
User interface changes
API changes
Data model changes
Release notes snippet
yarn.lock
and package.json
are now blocked by Drupal's default web server configuration, sites should update any copies of .htaccess
or web.config
to incorporate the changes.
Comment | File | Size | Author |
---|---|---|---|
#9 | 3308369-9.patch | 3.61 KB | JeroenT |
Issue fork drupal-3308369
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
JeroenTComment #5
cilefen CreditAttribution: cilefen as a volunteer commentedThere is also web.config to deal with.
Comment #6
JeroenT@cilefen,
web.config is already included in the list. Or am I missing something?
Comment #7
JeroenTComment #8
cilefen CreditAttribution: cilefen as a volunteer commentedweb.config is analogous to .htaccess for IIS and your suggested Apache Web Server access control change must be implemented there too.
Comment #9
JeroenTAh, I see what you mean now.
Updated the patch.
Comment #12
nod_works as intended
Comment #14
catchCommitted/pushed to 10.1.x and cherry-picked back through to 9.5.x, thanks!
Comment #16
johnzzonGreat addition! But what about
package-lock.json
? Isn't it equivalent of yarn.lock and should also be blocked?Comment #17
longwaveThis should have been tagged for release notes as it is a change to user modified files, although it only works for package.json due to a bug: #3327115: .htaccess rules broken since yarn.lock got added
Comment #18
xjm