Page MenuHomePhabricator

Have composer create a .htaccess file in vendor director
Closed, ResolvedPublic

Description

Per the suggestion in the parent task, T180231

Can we make composer add a .htaccess file with Deny from all as a security measure?

Event Timeline

Reedy created this task.Nov 10 2017, 2:31 PM
Reedy created this object with visibility "Custom Policy".
Reedy added a subscriber: Hutchy68.Nov 10 2017, 2:35 PM

Yes, we can technically do this. Composer has post-install hooks like the one that composer-merge-plugin uses. We'd just need to write a simple PHP class that writes out the .htaccess file.

https://getcomposer.org/doc/articles/scripts.md#event-names

Reedy added a comment.Nov 10 2017, 6:21 PM
"php -r \"file_put_contents( 'vendor/.htaccess', 'Deny from all' );\""
Legoktm claimed this task.Nov 10 2017, 11:49 PM

For core:

For mediawiki/vendor:

Reedy added a comment.EditedNov 11 2017, 12:28 AM

Shouldn't need to really do much to backport the vendor patch...

1.27 and 1.28 were definitely borked

bd808 added a subscriber: bd808.Nov 12 2017, 12:32 AM

This is a nice idea from a belt and suspenders point of view.

A much better long term fix would be to refactor MediaWiki core so that there is a distinct webroot directory that does not contain all of the PHP code and instead only exposes the entry point scripts. This was discussed at least tangentially in T167038: Separate "application" and "project" concerns.

Reedy closed this task as Resolved.Nov 13 2017, 5:59 PM
Reedy added a comment.Nov 13 2017, 7:03 PM

A much better long term fix would be to refactor MediaWiki core so that there is a distinct webroot directory that does not contain all of the PHP code and instead only exposes the entry point scripts. This was discussed at least tangentially in T167038: Separate "application" and "project" concerns.

And for anyone following along in future... T180394: MediaWiki entry points should not be in the base repo directory

Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".Nov 15 2017, 12:06 AM

Change 391427 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/vendor@REL1_30] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391427

Change 391427 merged by Reedy:
[mediawiki/vendor@REL1_30] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391427

Change 391428 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/vendor@master] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391428

Change 391373 merged by jenkins-bot:
[mediawiki/extensions/FundraisingEmailUnsubscribe@master] Disallow web access to /vendor

https://gerrit.wikimedia.org/r/391373

Change 391415 merged by Ejegg:
[mediawiki/core@fundraising/REL1_27] Create a .htaccess in /vendor after composer runs

https://gerrit.wikimedia.org/r/391415

Change 391452 had a related patch set uploaded (by Reedy; owner: Legoktm):
[mediawiki/core@master] SECURITY: Create a .htaccess in /vendor after composer runs

https://gerrit.wikimedia.org/r/391452

Change 391428 merged by jenkins-bot:
[mediawiki/vendor@master] Add .htaccess to disallow web access

https://gerrit.wikimedia.org/r/391428

Change 391452 merged by Reedy:
[mediawiki/core@master] SECURITY: Create a .htaccess in /vendor after composer runs

https://gerrit.wikimedia.org/r/391452