From 87e109a360ce9cf069ad991d70920949ab7863ee Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Fri, 10 Nov 2017 16:05:13 -0800 Subject: [PATCH] SECURITY: Create a .htaccess in /vendor after composer runs The /vendor directory does not need to be web accessible, and to reduce attack surface, it should not be web accessible. We can use the post-install-cmd and post-update-cmd hooks to create a .htaccess after the user has run "composer install" or "composer update". On the first run of composer, this hook will be invoked twice due to the composer merge plugin. If the htaccess file already exists, this hook won't do anything. Bug: T180237 Change-Id: I2cf6541750c90b5708d7cf5f81b914ae2d9d46d1 --- composer.json | 5 ++- .../ComposerVendorHtaccessCreator.php | 43 +++++++++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 includes/composer/ComposerVendorHtaccessCreator.php diff --git a/composer.json b/composer.json index 71c9398c14..a5501d080a 100644 --- a/composer.json +++ b/composer.json @@ -79,7 +79,8 @@ }, "autoload": { "psr-0": { - "ComposerHookHandler": "includes/composer" + "ComposerHookHandler": "includes/composer", + "ComposerVendorHtaccessCreator": "includes/composer" }, "files": [ "includes/compat/Timestamp.php" @@ -97,6 +98,8 @@ "fix": "phpcbf", "pre-install-cmd": "ComposerHookHandler::onPreInstall", "pre-update-cmd": "ComposerHookHandler::onPreUpdate", + "post-install-cmd": "ComposerVendorHtaccessCreator::onEvent", + "post-update-cmd": "ComposerVendorHtaccessCreator::onEvent", "test": [ "composer lint", "composer phpcs" diff --git a/includes/composer/ComposerVendorHtaccessCreator.php b/includes/composer/ComposerVendorHtaccessCreator.php new file mode 100644 index 0000000000..1e5efdf13a --- /dev/null +++ b/includes/composer/ComposerVendorHtaccessCreator.php @@ -0,0 +1,43 @@ + + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * + */ + +/** + * Creates a .htaccess in the vendor/ directory + * to prevent web access. + * + * This class runs *outside* of the normal MediaWiki + * environment and cannot depend upon any MediaWiki + * code. + */ +class ComposerVendorHtaccessCreator { + + /** + * Handle post-install-cmd and post-update-cmd hooks + */ + public static function onEvent() { + $fname = dirname( dirname( __DIR__ ) ) . "/vendor/.htaccess"; + if ( file_exists( $fname ) ) { + // Already exists + return; + } + + file_put_contents( $fname, "Deny from all\n" ); + } +} -- 2.20.1