Merge pull request #1140 from silverstripe-rebelalliance/yamlaccess_30

Document that yaml files shouldnt be served directly
2024-10-22 12:05:37 +00:00 · 2013-01-29 01:56:56 -08:00 · 2013-01-29 01:56:56 -08:00 · f0ef2ff02b
commit f0ef2ff02b
parent 0a312b4eaf bec5ae1886
4 changed files with 39 additions and 3 deletions
--- a/dev/install/install.php5
+++ b/dev/install/install.php5
@ -1268,6 +1268,13 @@ HTML;
 	Deny from all
 </Files>

+# This denies access to all yml files, since developers might include sensitive
+# information in them. See the docs for work-arounds to serve some yaml files
+<Files *.yml>
+	Order allow,deny
+	Deny from all
+</Files>
+
 ErrorDocument 404 /assets/error-404.html
 ErrorDocument 500 /assets/error-500.html

--- a/docs/en/installation/nginx.md
+++ b/docs/en/installation/nginx.md
@ -19,7 +19,7 @@ configuration settings:
 		index index.php index.html index.htm;
 		
 		server_name example.com;
-
+		
 		include silverstripe3;
 		include htaccess;
 	}
@ -29,7 +29,7 @@ Here is the include file `silverstripe3`:
 	location / {
 		try_files $uri @silverstripe;
 	}
- 
+	 
 	location @silverstripe {
 		include fastcgi_params;
 		
@ -68,6 +68,11 @@ Here is the include file `htaccess`:
 		try_files $uri $uri/ =404;
 	}
 	
+	# Block access to yaml files
+	location ~ \.yml$ {
+		deny all;
+	}
+	
 	# cms & framework .htaccess rules
 	location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ {
 		deny all;
--- a/docs/en/installation/webserver.md
+++ b/docs/en/installation/webserver.md
@ -26,4 +26,18 @@ name' and the default login details. Follow the questions and select the *instal

 ## Issues?

-If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section.
+If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section.
+
+## Security notes
+
+### Yaml
+
+For the reasons explained in [security](/topics/security) Yaml files are blocked by default by the .htaccess file
+provided by the SilverStripe installer module.
+
+To allow serving yaml files from a specific directory, add code like this to an .htaccess file in that directory
+
+	<Files *.yml>
+		Order allow,deny
+		Allow from all
+	</Files>
--- a/docs/en/topics/security.md
+++ b/docs/en/topics/security.md
@ -363,6 +363,16 @@ file in the assets directory.  This requires PHP to be loaded as an Apache modul
 	php_flag engine off
 	Options -ExecCGI -Includes -Indexes 

+### Don't allow access to .yml files
+
+Yaml files are often used to store sensitive or semi-sensitive data for use by SilverStripe framework (for instance,
+configuration and test fixtures).
+
+You should therefore block access to all yaml files (extension .yml) by default, and white list only yaml files
+you need to serve directly.
+
+See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details 
+specific to your web server

 ##  Related