Problem/Motivation
As found in this post, composer.json files are indexed by search engines. This is not (necessarily) a security problem, but:
- it seems like a good idea to disallow users from finding a website with such search queries
- we can't think of a good reason why someone would want to access
composer.jsonorcomposer.lockdirectly from the web - malicious visitors could use the information in the files to start looking for vulnerabilities
Beta phase evaluation
| Issue category | Task |
|---|---|
| Issue priority | Not critical because it does not open a security problem, but it seems like a good idea. |
| Prioritized changes | The main goal of this issue is security. |
| Disruption | Not disruptive. |
Proposed resolution
Initially, we proposed either:
- Disallowing search engines from indexing
composer.jsonandcomposer.lockby adding them torobots.txt - Blocking access to
composer.jsonandcomposer.lockusing.htaccessandweb.config
Looking at robots.txt, we did not see any lines which corresponded with blocking rules in .htaccess or web.config. Based on this precedent, we decided to only update .htaccess and web.config.
Remaining tasks
Decide on the path moving forwards.
We decided to update.htaccessandweb.configWrite a patch for D8.Update patch to add tests.- Review and RTBC.
- Commit to D8, set Status to Patch (to be ported), change Version to
7.x-dev. - Post patch to D7 (see #10).
Note that @mparker17 could not find any automated tests in D7 that checked.htaccessrules. - Review and RTBC.
- Commit to D7.
- Decide if it's worth porting to D6?
User interface changes
None.
API changes
None