Problem/Motivation
Drupal core is being shipped with a set of scripts. One particular is transliteration_data.php.txt (added in #2097587: Follow-up: Add transliteration data maintenance script to scripts directory)
That script is dangerous thus the decision was made to ship it with a txt extension, so it cannot be run via browser or executed accidentally. However, this file is exposed to the web, as it is not protected by htaccess for example resulting in false-positive during automated security checks with a message like:
Source code disclosure
Looks like the source code for this script is available.
Steps to reproduce
Open any D8/9 website and open the /core/scripts/transliteration_data.php.txt
For example https://dri.es/core/scripts/transliteration_data.php.txt
Proposed resolution
Scenario A:
- Remove txt extension and make it a normal PHP file
- Add protection from running via browser (check whether it is being run via CLI)
- Comment out actual code execution part, i.e. force user to uncomment it before it can be run
- Create a follow-up issue to refactor the script
Scenario B:
- Remove the script (as @Charlie ChX Negyesi suggested)
Remaining tasks
- Agree on scenario A or B
- Review & approve the patch
User interface changes
None
API changes
None
Data model changes
None
Release notes snippet
TBD