Open janmashat opened 1 month ago
In addition, the requested "security hardenings" in [#86] could be achieved by excluding those files from the scaffolded ones via Drupal Scaffold plugin config: https://www.drupal.org/docs/develop/using-composer/using-drupals-composer-scaffold#toc_6
So the requested hardenings does not have to implemented in the web server level.
To be clear, the only concerning part for us is blocking markdown files to served globally, when there are legitimate use cases for that --- and to be fair/IMO, the README.md of Drupal core does not tell anything about the installed version, etc. I may discloses that Drupal is the app framework, but that could be guessed in many different ways.
(cc @elaman )
Fair point regarding .md files not being a direct vulnerability, although I think that publicly facing Markdown documents should be served out of public file system (eg sites/default/files
.
Given that MD files are more often included with the code to explain said code (modules, themes, libraries, internal docs, etc), we don't want website visitors to be able to gain access to information about code.
The comment where this change propagates states:
However I wasn't able to find a reference to these new file extensions at the source: https://git.drupalcode.org/project/drupal/-/blob/11.x/.htaccess
Now this has become a breaking change on our project where we serve legitimate .md files sitewide.