Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend the scope of webserver protected folders #23101

Open
wants to merge 3 commits into
base: 5.x-dev
Choose a base branch
from
Open

Extend the scope of webserver protected folders #23101

wants to merge 3 commits into from
+29 −22

Conversation

michalkleiner
Copy link
Contributor

Description:

As per the title, ref. DEV-18936

Review

michalkleiner
michalkleiner commented Mar 6, 2025
View reviewed changes
plugins/Installation/ServerFilesGenerator.php
@@ -195,7 +201,7 @@ protected static function createWebConfigFiles()
<requestFiltering>
<denyUrlSequences>
<add sequence=".php" />
</denyUrlSequences>' . ($directoryToProtect === '/plugins' ? $additionForPlugins : '') . '
</denyUrlSequences>' . (!is_numeric($directoryToProtect) ? $additions : '') . '
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

key->value items in the array have string keys, without the pair the key is numeric, so we can use this to check if we have some additions or not.

michalkleiner
michalkleiner commented Mar 6, 2025
View reviewed changes
plugins/Installation/ServerFilesGenerator.php
@@ -68,7 +68,7 @@ public static function createHtAccessFiles()
'/libs' => $denyAll . $allowStaticAssets,
'/vendor' => $denyAll . $allowStaticAssets,
'/plugins' => $denyAll . $allowStaticAssets . $allowManifestFile,
'/misc/user' => $denyAll . $allowStaticAssets,
'/misc' => $denyAll . $allowStaticAssets,
Copy link
Contributor Author

@michalkleiner michalkleiner Mar 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an explicit .htaccess in misc/cron allowing access to the archive.php script, so this should be ok as an extended scope.

@michalkleiner michalkleiner requested a review from a team March 6, 2025 23:26
@michalkleiner michalkleiner added this to the 5.4.0 milestone Mar 6, 2025
@michalkleiner
Copy link
Contributor Author

This is the content of the /misc folder web.config after the change, before the change the is no web.config file in the /misc folder.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <security>
      <requestFiltering>
        <denyUrlSequences>
          <add sequence=".php" />
        </denyUrlSequences>
        <alwaysAllowedUrls>
          <add url="/misc/cron/archive.php" />
        </alwaysAllowedUrls>
      </requestFiltering>
    </security>
  </system.webServer>
</configuration>

@michalkleiner
Copy link
Contributor Author

The generation can be tested using the ddev local env if you comment out the if (!SettingsServer::isIIS()) { condition in ServerFilesGenerator::createWebConfigFiles method, then it generates the web.config files as well when running ./console core:create-security-files command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
5.4.0
Development

Successfully merging this pull request may close these issues.
1 participant
@michalkleiner