Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
We now have a sites/default/services.yml file that has, potentially, sensitive information in it (just as settings.php has). That should not be publicly exposed.
Proposed resolution
Add .yml files to the blacklist in .htaccess.
Remaining tasks
Write the patch. Should be easy.
User interface changes
None.
API changes
None.
Comments
Comment #1
dawehner.
Comment #2
Crell CreditAttribution: Crell commentedThis is a one liner patch, so marking Novice.
Comment #3
moshe weitzman CreditAttribution: moshe weitzman commentedweb.config and .htaccess need updating.
Comment #4
alexpottThis is a duplicate of #1956698: Prevent access to YAML files using .htaccess and web.config