Follow-up to #1956698: Prevent access to YAML files using .htaccess and web.config
Problem/Motivation
The core .htaccess file disallows HTTP access to internal and code files (like module files, templates, etc.) As of #1956698: Prevent access to YAML files using .htaccess and web.config, this includes .yml
files as well. However, if files with these same extensions are uploaded to and managed by the files directory, then it doesn't make sense to restrict access to them the same way we restrict access to codebase files.
Proposed resolution
Make it possible to download some or all of these file extensions only within the files directory, instead of unilaterally denying access to them across the board, especially since the allowed uploadable file types can be configured by administrators. FileStorage::htaccessLines() could potentially be modified to override the global access restriction just within the files directories.
Remaining tasks
- Decide the best way to fix this bug/annoyance without compromising the security provided by this .htaccess rule.
- Which of the restricted extensions to allow within the files directory (if any) needs discussion.
User interface changes
It will (again) be possible to download yml (and other) file types from the files directory, and configuring the files directory to allow an otherwise-restricted extension will work.
API changes
Probably none.
Postponed until
#1956698: Prevent access to YAML files using .htaccess and web.config
Comments
Comment #1
xjmComment #2
xjmComment #3
Gábor HojtsyTest for .yml files uploaded are in the interdiff in #1956698-52: Prevent access to YAML files using .htaccess and web.config, can take that and implement the fix to make it pass here.
Comment #4
mgiffordComment #15
larowlanThis sounds like a task more than a bug