Ensure to not serve yml files inside Drupal [#2321487]

Problem/Motivation

We now have a sites/default/services.yml file that has, potentially, sensitive information in it (just as settings.php has). That should not be publicly exposed.

Proposed resolution

Add .yml files to the blacklist in .htaccess.

Remaining tasks

Write the patch. Should be easy.

User interface changes

None.

API changes

None.

Comments

Comment #1

dawehner

German

CreditAttribution: dawehner commented 14 August 2014 at 16:19

Parent issue:

» #2251113: Use container parameters instead of settings

Comment #2

Crell CreditAttribution: Crell commented 14 August 2014 at 16:22

Issue summary:	View changes
Issue tags:		+Novice

This is a one liner patch, so marking Novice.

Comment #3

moshe weitzman CreditAttribution: moshe weitzman commented 14 August 2014 at 16:42

Priority:

Major

» Critical

web.config and .htaccess need updating.

Comment #4

alexpott

he/they

English

🇪🇺🌍

CreditAttribution: alexpott commented 14 August 2014 at 17:48

Status:

Active

» Closed (duplicate)

This is a duplicate of #1956698: Prevent access to YAML files using .htaccess and web.config

Ensure to not serve yml files inside Drupal

Problem/Motivation

Proposed resolution

Remaining tasks

User interface changes

API changes

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Parent issue

Referenced by

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community