Add config files to protected_web_paths in pantheon.yml

[jenlampton]

We're still using core's default behavior of naming the config directory by using an md5 hash of the database connection information, which is security-by-obscurity:

$config_directories['active'] = 'files/config_' . md5($database) . '/active';
$config_directories['staging'] = 'files/config_' . md5($database) . '/staging';

Pantheon now provides a protected_web_paths option in the pantheon.yml that will more securely prevent anyone from being able to access these files.

For new installs, I'd like to recommend that we include files/config in the list of protected paths, and replace the config locations as follows:

$config_directories['active'] = 'files/config/active';
$config_directories['staging'] = 'files/config/staging';

Would it be possible to make such a change without affecting current sites?

[herbdool]

I agree it would be good to switch to using protected paths. Though we'll need a strategy here because I think it'll change it for existing sites too. Not sure of best approach. Maybe an update hook to move the config, if possible. Or have a conditional to check for config in the old location if the new one fails.

[herbdool]

I've added a PR. I think it'll do the trick and still be backwards-compatible. I haven't tested so I'm not sure if the random directory will be created in a regular install or if it'll skip that. So needs testing before we can merge.