Page MenuHomePhabricator
Create Task
Maniphest T180237

Have composer create a .htaccess file in vendor director
Closed, ResolvedPublic
Actions

Assigned To
Legoktm
Authored By
Reedy
Nov 10 2017, 2:31 PM
Tags
Referenced Files
F10721718: T180237-REL1_27.patch
Nov 11 2017, 12:51 AM
F10721717: T180237-REL1_28.patch
Nov 11 2017, 12:51 AM
F10721472: T180237-REL1_28.patch
Nov 11 2017, 12:28 AM
F10721475: T180237-REL1_29.patch
Nov 11 2017, 12:28 AM
F10721473: T180237-REL1_30.patch
Nov 11 2017, 12:28 AM
F10721474: T180237-master.patch
Nov 11 2017, 12:28 AM
F10721471: T180237-REL1_27.patch
Nov 11 2017, 12:28 AM
F10721372: 0001-SECURITY-Create-a-.htaccess-in-vendor-after-composer.patch
Nov 11 2017, 12:10 AM
View All 9 Files
Subscribers
Aklapper
bd808
gerritbot
Hutchy68
Legoktm
Reedy

Description

Per the suggestion in the parent task, T180231

Can we make composer add a .htaccess file with Deny from all as a security measure?

Details

Show related patches Customize query in gerrit

Related Objects
Search...

Event Timeline

Reedy created this task.Nov 10 2017, 2:31 PM
Reedy created this object with visibility "Custom Policy".
Reedy added a subscriber: Hutchy68.Nov 10 2017, 2:35 PM
Legoktm added a subscriber: Legoktm.Nov 10 2017, 6:14 PM

Yes, we can technically do this. Composer has post-install hooks like the one that composer-merge-plugin uses. We'd just need to write a simple PHP class that writes out the .htaccess file.

https://getcomposer.org/doc/articles/scripts.md#event-names

Reedy added a comment.Nov 10 2017, 6:21 PM
"php -r \"file_put_contents( 'vendor/.htaccess', 'Deny from all' );\""
Legoktm claimed this task.Nov 10 2017, 11:49 PM
Legoktm added a project: Patch-For-Review.Nov 11 2017, 12:10 AM

For core:

0001-SECURITY-Create-a-.htaccess-in-vendor-after-composer.patch3 KBDownload

For mediawiki/vendor:

0001-SECURITY-Add-.htaccess-to-disallow-web-access.patch800 BDownload

Reedy added a comment.EditedNov 11 2017, 12:28 AM

Shouldn't need to really do much to backport the vendor patch...

T180237-REL1_29.patch3 KBDownload

T180237-master.patch3 KBDownload

T180237-REL1_30.patch3 KBDownload

1.27 and 1.28 were definitely borked

Reedy added a comment.Nov 11 2017, 12:51 AM

T180237-REL1_27.patch3 KBDownload

T180237-REL1_28.patch3 KBDownload

Reedy mentioned this in T168823: Tracking bug for 1.27.4/1.28.3/1.29.2 security releases.Nov 11 2017, 1:20 AM
bd808 added a subscriber: bd808.Nov 12 2017, 12:32 AM

This is a nice idea from a belt and suspenders point of view.

A much better long term fix would be to refactor MediaWiki core so that there is a distinct webroot directory that does not contain all of the PHP code and instead only exposes the entry point scripts. This was discussed at least tangentially in T167038: Separate "application" and "project" concerns.

Reedy closed this task as Resolved.Nov 13 2017, 5:59 PM
Anomie mentioned this in T180394: MediaWiki entry points should not be in the base repo directory.Nov 13 2017, 7:01 PM
Reedy added a comment.Nov 13 2017, 7:03 PM
In T180237#3752790, @bd808 wrote:

A much better long term fix would be to refactor MediaWiki core so that there is a distinct webroot directory that does not contain all of the PHP code and instead only exposes the entry point scripts. This was discussed at least tangentially in T167038: Separate "application" and "project" concerns.

And for anyone following along in future... T180394: MediaWiki entry points should not be in the base repo directory

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:06 AM
gerritbot added a subscriber: gerritbot.Nov 15 2017, 12:07 AM

Change 391427 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/vendor@REL1_30] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391427

gerritbot added a comment.Nov 15 2017, 12:07 AM

Change 391427 merged by Reedy:
[mediawiki/vendor@REL1_30] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391427

gerritbot added a comment.Nov 15 2017, 12:07 AM

Change 391428 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/vendor@master] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391428

gerritbot added a comment.Nov 15 2017, 12:20 AM

Change 391373 merged by jenkins-bot:
[mediawiki/extensions/FundraisingEmailUnsubscribe@master] Disallow web access to /vendor

https://gerrit.wikimedia.org/r/391373

gerritbot added a comment.Nov 15 2017, 12:56 AM

Change 391415 merged by Ejegg:
[mediawiki/core@fundraising/REL1_27] Create a .htaccess in /vendor after composer runs

https://gerrit.wikimedia.org/r/391415

gerritbot added a comment.Nov 15 2017, 12:59 AM

Change 391452 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@master] SECURITY: Create a .htaccess in /vendor after composer runs

https://gerrit.wikimedia.org/r/391452

ReleaseTaggerBot added projects: MW-1.30-release-notes, MW-1.29-release-notes.Nov 15 2017, 1:01 AM
gerritbot added a comment.Nov 15 2017, 2:02 AM

Change 391428 merged by jenkins-bot:
[mediawiki/vendor@master] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391428

gerritbot added a comment.Nov 15 2017, 2:54 AM

Change 391452 merged by Reedy:
[mediawiki/core@master] SECURITY: Create a .htaccess in /vendor after composer runs

https://gerrit.wikimedia.org/r/391452

ReleaseTaggerBot added a project: MW-1.31-release-notes (WMF-deploy-2017-11-28 (1.31.0-wmf.10)).Nov 15 2017, 3:00 AM
Anomie mentioned this in T181451: RFC: WebAssembly and compiled JS code best practices.Nov 28 2017, 1:49 AM
Legoktm mentioned this in T191597: MediaWiki 1.30.0 tarball is missing vendor/.htaccess.Apr 6 2018, 7:28 AM
chasemp added a project: Security.Feb 10 2020, 10:52 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:13 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL