Risky data exposed to public access

[conf-test]

Hi,

I'm a security researcher. Thank you for providing this useful docker image! After I set it up, I found your docker image disclose some sensitive directories and files to the public:

/vendor/
/vendor/.htaccess
/conf.dist/.htaccess
/.htaccess.dist
/vendor/splitbrain/php-archive/phpunit.xml
/vendor/composer/installed.json
/lib/plugins.dist/authad/lang/en/settings.php

To make things worse, PUT and DELETE http methods on these files are open to outside, which means they can be arbitrarily changed by outside attackers if they want.

These files should not be exposed as warned in https://www.dokuwiki.org/security.

• The vendor/ directory contains executables that may be exploited by attackers if they get its contents.
• Specially, the .htaccess files can be used in web-based exploitation, as mentioned here. They use this file to hide malware, to redirect search engines to their own sites, and for many other purposes (hide backdoors, inject content, modify the php.ini values, etc).
• phpunit.xml is for unit testing. You should not leave them on a live production server. (ref)
• composer/installed.json expose config info (ref)

Would it be better to block these accesses in your docker image? Thanks!

Best, -ct

[mwaeckerlin]

Thank you for the issue. I am working on a redesign in mwaeckerlin/nginx and mwaeckerlin/php-fpm, so that the images are smaller and therefore more secure. After finishing that, I'll update this repository.

[mwaeckerlin]

Rewrite started, comments welcome. 2903d11621e9b7b2f47d432159b8e8bea3fe718c

[conf-test]

Awesome, added a comment https://github.com/mwaeckerlin/dokuwiki/commit/2903d11621e9b7b2f47d432159b8e8bea3fe718c#r49686856