In the default configuration the assets:install will copy the full components directory to a public path (like web/bundles/app/components), including the PHP files, making them available to the public.
I think these files should either be stripped from the bundle components folder, or not installed in the public folder. I think it should be possible to configure the safe extensions, because they might be different per bundle or project.
Also the "ignore" section of bower.json files is ignored. Filtering these field would help, but is not 100% as it isn't configured correctly in every repo.
Some Bower supporting repositories contain PHP files. For example the jQuery repo contains some PHP test files: https://github.com/jquery/jquery/tree/master/test/data
In the default configuration the assets:install will copy the full components directory to a public path (like web/bundles/app/components), including the PHP files, making them available to the public.
The jQuery files do not seem to be very dangerous, but some repos will install a file uploader into your public area: https://github.com/blueimp/jQuery-File-Upload/tree/master/server/php
I think these files should either be stripped from the bundle components folder, or not installed in the public folder. I think it should be possible to configure the safe extensions, because they might be different per bundle or project.
Also the "ignore" section of bower.json files is ignored. Filtering these field would help, but is not 100% as it isn't configured correctly in every repo.