Permalink
Browse files

Document that yaml files shouldnt be served directly

  • Loading branch information...
Hamish Friedlander
Hamish Friedlander committed Jan 29, 2013
1 parent 657c14f commit acfc0be471735a7f71954c77b9d4343fd0f91cad
Showing with 32 additions and 3 deletions.
  1. +7 −2 docs/en/installation/nginx.md
  2. +15 −1 docs/en/installation/webserver.md
  3. +10 −0 docs/en/topics/security.md
@@ -19,7 +19,7 @@ configuration settings:
index index.php index.html index.htm;
server_name example.com;
-
+
include silverstripe3;
include htaccess;
}
@@ -29,7 +29,7 @@ Here is the include file `silverstripe3`:
location / {
try_files $uri @silverstripe;
}
-
+
location @silverstripe {
include fastcgi_params;
@@ -68,6 +68,11 @@ Here is the include file `htaccess`:
try_files $uri $uri/ =404;
}
+ # Block access to yaml files
+ location ~ \.yml$ {
+ deny all;
+ }
+
# cms & framework .htaccess rules
location ~ ^/(cms|framework|mysite)/.*\.(php|php[345]|phtml|inc)$ {
deny all;
@@ -26,4 +26,18 @@ name' and the default login details. Follow the questions and select the *instal
## Issues?
-If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section.
+If the above steps don't work for any reason have a read of the [Common Problems](common-problems) section.
+
+## Security notes
+
+### Yaml
+
+For the reasons explained in [security](/topics/security) Yaml files are blocked by default by the .htaccess file
+provided by the SilverStripe installer module.
+
+To allow serving yaml files from a specific directory, add code like this to an .htaccess file in that directory
+
+ <Files *.yml>
+ Order allow,deny
+ Allow from all
+ </Files>
View
@@ -363,6 +363,16 @@ file in the assets directory. This requires PHP to be loaded as an Apache modul
php_flag engine off
Options -ExecCGI -Includes -Indexes
+### Don't allow access to .yml files
+
+Yaml files are often used to store sensitive or semi-sensitive data for use by SilverStripe framework (for instance,
+configuration and test fixtures).
+
+You should therefore block access to all yaml files (extension .yml) by default, and white list only yaml files
+you need to serve directly.
+
+See [Apache](/installation/webserver) and [Nginx](/installation/nginx) installation documentation for details
+specific to your web server
## Related

0 comments on commit acfc0be

Please sign in to comment.