tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 12:05:37 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #1140 from silverstripe-rebelalliance/yamlaccess_30

Browse Source 
Document that yaml files shouldnt be served directly
This commit is contained in:
Ingo Schommer 2013-01-29 01:56:56 -08:00
commit f0ef2ff02b
4 changed files with 39 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
dev/install/install.php5
View File

@ -1268,6 +1268,13 @@ HTML;
Deny from all Deny from all
</Files> </Files>
# This denies access to all yml files, since developers might include sensitive
# information in them. See the docs for work-arounds to serve some yaml files
<Files *.yml>
Order allow,deny
Deny from all
</Files>
ErrorDocument 404 /assets/error-404.html ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html ErrorDocument 500 /assets/error-500.html

5
docs/en/installation/nginx.md
View File

@ -68,6 +68,11 @@ Here is the include file `htaccess`:
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# Block access to yaml files
location ~ \.yml$ {
deny all;
}
# cms & framework .htaccess rules # cms & framework .htaccess rules
location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ { location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ {
deny all; deny all;

14
docs/en/installation/webserver.md
View File

@ -27,3 +27,17 @@ name' and the default login details. Follow the questions and select the *instal
## Issues? ## Issues?
If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section. If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section.
## Security notes
### Yaml
For the reasons explained in [security](/topics/security) Yaml files are blocked by default by the .htaccess file
provided by the SilverStripe installer module.
To allow serving yaml files from a specific directory, add code like this to an .htaccess file in that directory
<Files *.yml>
Order allow,deny
Allow from all
</Files>

10
docs/en/topics/security.md
View File

@ -363,6 +363,16 @@ file in the assets directory. This requires PHP to be loaded as an Apache modul
php_flag engine off php_flag engine off
Options -ExecCGI -Includes -Indexes Options -ExecCGI -Includes -Indexes
### Don't allow access to .yml files
Yaml files are often used to store sensitive or semi-sensitive data for use by SilverStripe framework (for instance,
configuration and test fixtures).
You should therefore block access to all yaml files (extension .yml) by default, and white list only yaml files
you need to serve directly.
See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details
specific to your web server
## Related ## Related