[#2373] Blocked access to 'web/core/*.txt' and '*.md' files in '.htaccess'.

[AlexSkrypnyk]

Closes #2373

Summary

Added a RewriteRule to web/.htaccess that blocks public HTTP access to .txt and .md files inside the web/core/ directory. This prevents exposure of Drupal core text files (such as CHANGELOG.txt, LICENSE.txt, README.md) via HTTP requests, which can leak version information and aid in fingerprinting the Drupal installation.

Changes

web/.htaccess

• Added RewriteRule ^core/.*\.(txt|md)$ - [F] to deny access to .txt and .md files under the core/ directory, returning a 403 Forbidden response.

Installer test fixtures

• Updated .htaccess snapshots in hosting_acquia and hosting_project_name___acquia fixture directories to reflect the new rule, keeping test fixtures in sync with the production .htaccess.

Before / After

Before:
  ...
  RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L]

  # Pass all requests not referring directly to files...
  RewriteCond %{REQUEST_FILENAME} !-f
  ...

After:
  ...
  RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L]

  # Deny access to text files in core directory.
  RewriteRule ^core/.*\.(txt|md)$ - [F]           ← new rule

  # Pass all requests not referring directly to files...
  RewriteCond %{REQUEST_FILENAME} !-f
  ...

Summary by CodeRabbit

• Bug Fixes
  • Restricted access to certain document files in the core directory to improve security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 62aa50de-60cf-477f-926f-eba4e78e874c

📥 Commits

Reviewing files that changed from the base of the PR and between a19572f and 6b10bd3.

⛔ Files ignored due to path filters (2)

• .vortex/installer/tests/Fixtures/handler_process/hosting_acquia/docroot/.htaccess is excluded by !.vortex/installer/tests/Fixtures/**
• .vortex/installer/tests/Fixtures/handler_process/hosting_project_name___acquia/docroot/.htaccess is excluded by !.vortex/installer/tests/Fixtures/**

📒 Files selected for processing (1)

• web/.htaccess

---

Walkthrough

The change adds a single Apache mod_rewrite rule to the .htaccess file that forbids HTTP access to text and markdown files within the core/ directory. This is a security-related configuration change to prevent public access to documentation and changelog files.

Changes

Cohort / File(s)	Summary
Apache Rewrite Security Rule web/.htaccess	Added mod_rewrite rule to deny HTTP access to .txt and .md files under the core/ directory using [F] (forbidden) flag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A rabbit hopped through the server with care,
Finding files that shouldn't be there,
With a rule and a bounce, [F] for the fight,
No more .txt sneaking into the night! 📄✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: blocking access to .txt and .md files in web/core/ via .htaccess configuration.
Linked Issues check	✅ Passed	The PR implements server-side access restrictions for .txt and .md files in web/core/, directly addressing issue #2373's objective to prevent exposure of Drupal core text files.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to blocking access to .txt and .md files in web/core/; fixture updates maintain consistency with the production .htaccess change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📋 Issue Planner

Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).

View plan for ticket: #2373

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/2373-rm-core-txt

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.08%. Comparing base (a19572f) to head (6b10bd3).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2420      +/-   ##
==========================================
- Coverage   79.56%   79.08%   -0.48%     
==========================================
  Files         126      119       -7     
  Lines        6734     6575     -159     
  Branches       44        0      -44     
==========================================
- Hits         5358     5200     -158     
+ Misses       1376     1375       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Code coverage (threshold: 90%)

  Classes: 100.00% (1/1)
  Methods: 100.00% (2/2)
  Lines:   100.00% (189/189)

Per-class coverage

Drupal\ys_demo\Plugin\Block\CounterBlock
  Methods: 100.00% ( 2/ 2)   Lines: 100.00% ( 10/ 10)