Issue #2948579 by greggles, mcdruid, longwave, Chi, rabbitlair, alexpott,...

Issue #2948579 by greggles, mcdruid, longwave, Chi, rabbitlair, alexpott, DKAN, beckydev, interX, sammuell: Block web.config in .htaccess (and vice-versa)

Issue #2948579 by greggles, mcdruid, longwave, Chi, rabbitlair, alexpott,...
dfa4cdeb · Alex Pott · 340d33e7 · dfa4cdeb · dfa4cdeb · dfa4cdeb
Unverified Commit dfa4cdeb authored 5 years ago by Alex Pott
--- a/.htaccess
+++ b/.htaccess
@@ -3,7 +3,7 @@
 #

 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>

--- a/core/modules/system/tests/fixtures/HtaccessTest/.htaccess
+++ b/core/modules/system/tests/fixtures/HtaccessTest/.htaccess
--- a/core/modules/system/tests/fixtures/HtaccessTest/web.config
+++ b/core/modules/system/tests/fixtures/HtaccessTest/web.config
--- a/core/modules/system/tests/src/Functional/System/HtaccessTest.php
+++ b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
@@ -86,6 +86,10 @@ protected function getProtectedFiles() {
    $file_paths["$path/composer.json"] = 403;
    $file_paths["$path/composer.lock"] = 403;

+    // Ensure web server configuration files cannot be accessed.
+    $file_paths["$path/.htaccess"] = 403;
+    $file_paths["$path/web.config"] = 403;
+
    return $file_paths;
  }


--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
    <rewrite>
      <rules>
        <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock))$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess)$" />
          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
        </rule>