mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-06-30 16:39:38 +02:00
BUG Secure composer files from web access (fixes #8011)
Already applied to root .htaccess, but required for dynamically generated file from installer as well. Also added upgrade instructions.
This commit is contained in:
Ingo Schommer
parent
e21bd49462
commit
ede381326b
|
|
@ -1280,6 +1280,8 @@ ErrorDocument 500 /assets/error-500.html
|
|||
|
||||
<IfModule mod_alias.c>
|
||||
RedirectMatch 403 /silverstripe-cache(/|$)
|
||||
RedirectMatch 403 /vendor(/|$)
|
||||
RedirectMatch 403 /composer\.(json|lock)
|
||||
</IfModule>
|
||||
|
||||
<IfModule mod_rewrite.c>
|
||||
|
|
|
|||
|
|
@ -2,14 +2,52 @@
|
|||
|
||||
## Overview
|
||||
|
||||
* Security: Information leakage through web access on YAML configuration files
|
||||
* Security: Information leakage through web access on composer files
|
||||
* Security: Require ADMIN permissions for `?showtemplate=1`
|
||||
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
|
||||
* Require ADMIN permissions for `?showtemplate=1`
|
||||
|
||||
## Details
|
||||
|
||||
### Require ADMIN permissions for `?showtemplate=1`
|
||||
### Security: Prevent web access to YAML and composer files
|
||||
|
||||
Avoids information leakage of compiled template data,
|
||||
Severity: Moderate
|
||||
|
||||
Description: YAML files are used to configure the SilverStripe application
|
||||
since its 3.0 release. These files can contain sensitive values such as database
|
||||
and API credentials. By default, the installer still stores database credentials
|
||||
in `_config.php` files which are safe from web access. So this only concerns
|
||||
configuration values added in your own project, or a third party module.
|
||||
|
||||
Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
|
||||
with the new files from the project root, and reapply any customizations you've made.
|
||||
Follow the [general upgrade instructions](/installation/upgrading).
|
||||
The [nginx installation instructions](/installation/nginx)
|
||||
have also been updated to reflect those changes.
|
||||
|
||||
### Security: Information exposure through web access on composer files
|
||||
|
||||
Severity: Low
|
||||
|
||||
Description: [Composer](http://getcomposer.org) is a dependency management
|
||||
tool which can optionally be used to install SilverStripe. The `composer.json`
|
||||
and `composer.lock` files are required for its operation, so they are included
|
||||
in the standard release since 3.0.2. These files contain information on the installed
|
||||
versions of core and thirdparty modules, which could be used to target specific
|
||||
versions of SilverStripe.
|
||||
|
||||
Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
|
||||
with the new files from the project root, and reapply any customizations you've made.
|
||||
Follow the [general upgrade instructions](/installation/upgrading).
|
||||
The [nginx installation instructions](/installation/nginx)
|
||||
have also been updated to reflect those changes.
|
||||
|
||||
|
||||
### Security: Require ADMIN permissions for `?showtemplate=1`
|
||||
|
||||
Severity: Low
|
||||
|
||||
Description: Avoids information leakage of compiled template data,
|
||||
which might expose some of the internal template logic.
|
||||
|
||||
## Upgrading
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user