Problem/Motivation
The .htaccess added to the config sync directory is untested - we should test it.
Proposed resolution
Add tests
Remaining tasks
User interface changes
None
API changes
None
Comment | File | Size | Author |
---|---|---|---|
#16 | 2723411-16.patch | 818 bytes | alexpott |
#7 | 2723411-7.patch | 1.08 KB | alexpott |
#7 | 2-7-interdiff.txt | 737 bytes | alexpott |
#2 | 2723411-2.patch | 1.08 KB | alexpott |
Comments
Comment #2
alexpottComment #3
Wim LeersSUPERNIT: s/yml/YAML/ ?
Comment #4
catchDoesn't the file directory htaccess have more restrictive rules?
On the other hand, it should only have YAML in it, as opposed to file upload directories which could have any old crap, but this wasn't discussed so far so let's at least document here why it's OK to skip it.
Comment #5
alexpott@catch yes you are totally correct. Requiring the config sync directory to be writable is a really tricky bug though. I've improved the IS.
Comment #6
alexpottComment #7
alexpottComment #9
alexpottComment #10
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commentedBoth the reasoning and the code look good to me.
Comment #11
pjcdawkins CreditAttribution: pjcdawkins at Platform.sh commented... and a wise colleague has mentioned that means I can set this RTBC
Comment #12
geerlingguy CreditAttribution: geerlingguy commented+1 on the RTBC, this seems adequate to me.
Comment #13
geerlingguy CreditAttribution: geerlingguy commentedBut does it need a more official security review, just for completeness?
Comment #14
neclimdulThis makes me a nervous because it seems like we're swapping the file_save_access('', $true) on the config directory for the file_save_access('') on the parent files directory and the fact that the root .htaccess by default blocks all .yml files.
If someone modifies that for a totally reasonable "I need people to be able to upload yml files to my site" they could very easily open up their config directory without realizing it.
Comment #15
alexpott@neclimdul ok. I think if someone opens up .yml in the main .htaccess they also have a problem with module version disclosure. However I guess given the possible contents of the directory we should go the extra mile.
Comment #16
alexpottSo let's not attempt to do this at all. We can just go back to only enforcing the htaccess if the directory is writable in #2466197: Staging directory should not have to be writeable.. What we should do here is add proper tests for the .htaccess so we'll know if we break this protection.
Comment #19
wturrell CreditAttribution: wturrell as a volunteer commentedComment #29
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge require as a guide.
Moving back to NW for the tests.