Permalink
Browse files

BUG Secure composer files from web access (fixes #8011)

Already applied to root .htaccess, but required for dynamically
generated file from installer as well. Also added upgrade instructions.
  • Loading branch information...
1 parent e21bd49 commit ede381326b89c23624681d3d242dc092ec213071 @chillu chillu committed Feb 17, 2013
Showing with 43 additions and 3 deletions.
  1. +2 −0 dev/install/install.php5
  2. +41 −3 docs/en/changelogs/3.0.4.md
@@ -1280,6 +1280,8 @@ ErrorDocument 500 /assets/error-500.html
<IfModule mod_alias.c>
RedirectMatch 403 /silverstripe-cache(/|$)
+ RedirectMatch 403 /vendor(/|$)
+ RedirectMatch 403 /composer\.(json|lock)
</IfModule>
<IfModule mod_rewrite.c>
@@ -2,14 +2,52 @@
## Overview
+ * Security: Information leakage through web access on YAML configuration files
+ * Security: Information leakage through web access on composer files
+ * Security: Require ADMIN permissions for `?showtemplate=1`
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
- * Require ADMIN permissions for `?showtemplate=1`
## Details
-### Require ADMIN permissions for `?showtemplate=1`
+### Security: Prevent web access to YAML and composer files
-Avoids information leakage of compiled template data,
+Severity: Moderate
+
+Description: YAML files are used to configure the SilverStripe application
+since its 3.0 release. These files can contain sensitive values such as database
+and API credentials. By default, the installer still stores database credentials
+in `_config.php` files which are safe from web access. So this only concerns
+configuration values added in your own project, or a third party module.
+
+Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
+with the new files from the project root, and reapply any customizations you've made.
+Follow the [general upgrade instructions](/installation/upgrading).
+The [nginx installation instructions](/installation/nginx)
+have also been updated to reflect those changes.
+
+### Security: Information exposure through web access on composer files
+
+Severity: Low
+
+Description: [Composer](http://getcomposer.org) is a dependency management
+tool which can optionally be used to install SilverStripe. The `composer.json`
+and `composer.lock` files are required for its operation, so they are included
+in the standard release since 3.0.2. These files contain information on the installed
+versions of core and thirdparty modules, which could be used to target specific
+versions of SilverStripe.
+
+Resolution: Update your `.htaccess` file (for Apache), or your `web.config` file (for IIS)
+with the new files from the project root, and reapply any customizations you've made.
+Follow the [general upgrade instructions](/installation/upgrading).
+The [nginx installation instructions](/installation/nginx)
+have also been updated to reflect those changes.
+
+
+### Security: Require ADMIN permissions for `?showtemplate=1`
+
+Severity: Low
+
+Description: Avoids information leakage of compiled template data,
which might expose some of the internal template logic.
## Upgrading

0 comments on commit ede3813

Please sign in to comment.