Problem/Motivation

htaccess prevents po format from download, so we can't share PO files. There doesn't seem to be much reason for them to be protected.

Proposed resolution

See patches below.

Remaining tasks

Decide whether or not PO format should actually be protected or not.

Reasons to protect PO format:

  1. A po file name reveals module names and version numbers. This may be a security risk.
  2. po files of custom modules reveals custom functionality. This may be undesirable on sites where functionality is hidden from anonymous users. e.g. intranet.

Reasons not not protect:

  1. Out of the box Drupal can share its po files publicly.
CommentFileSizeAuthor
#16 d7_1763068_remove-po_16.patch667 bytesguillaumev
#14 remove-po-14.patch667 bytesgarphy
#13 1763068-remove-po-13.patch667 bytesguillaumev
#10 1763068-remove-po-10.patch669 bytesguillaumev
remove-po.patch511 bytesdroplet

Comments

timmillwood’s picture

timmillwood
Primary language English
Location 🏴󠁧󠁢󠁷󠁬󠁳󠁿 Wales, UK
commented
Status: Needs review » Reviewed & tested by the community

Looks good here!

webchick’s picture

webchick
she/they
Primary language English
Location Vancouver 🇨🇦
commented
Status: Reviewed & tested by the community » Needs review
Issue tags: +D8MI

Er. Can I get confirmation on this from someone on the D8MI team?

guillaumev’s picture

guillaumev commented

Is there any plan to have this patch backported to 7.x ?

sutharsan’s picture

sutharsan commented

@droplet, can you explain what problem we are solving here?

droplet’s picture

droplet commented

htacess prevents po format from download. therefore we can't share PO files.

sutharsan’s picture

sutharsan commented

Please explain the use case for sharing po's.

droplet’s picture

droplet commented

just want to share a po file.
l10_server shares a po file.

any reason to protect it ?

sutharsan’s picture

sutharsan commented

See this discussion back in 2006 which introduced the po extension in the .htaccess file. #105300: Protect PO files from being read over HTTP I think it is still valid.

droplet’s picture

droplet commented

PO files named like moduleName-versionNumber.po... It telling hackers the modules version...... and there is no more commit hash included in LDO's PO files.

If someone save the password inside PO file, that's crazy. OKay, I've never assumed they won't ....

guillaumev’s picture

guillaumev commented
StatusFileSize
new 1763068-remove-po-10.patch669 bytes

Just in case someone needs a working patch for the latest version of Drupal 7...

Status: Needs review » Needs work

The last submitted patch, 1763068-remove-po-10.patch, failed testing.

jair’s picture

jair commented
Issue tags: +Needs reroll

Needs reroll

guillaumev’s picture

guillaumev commented
StatusFileSize
new 1763068-remove-po-13.patch667 bytes

New patch for 7.23

garphy’s picture

garphy
Primary language French
Location Montreal, Canada
commented
Issue tags: -Needs reroll
StatusFileSize
new remove-po-14.patch667 bytes

Rerolled for D8.
@guillaumev, could you please name your d7 backport patches so it's more obvious when reading the patch filename.

garphy’s picture

garphy
Primary language French
Location Montreal, Canada
commented
Status: Needs work » Needs review
guillaumev’s picture

guillaumev commented
Issue summary: View changes
StatusFileSize
new d7_1763068_remove-po_16.patch667 bytes

Here is a patch for Drupal 7.24.

sutharsan’s picture

sutharsan commented

I think this summarises the arguments:

Reasons to protect PO format:

  • A po file name reveals module names and version numbers. This may be a security risk.
  • po files of custom modules reveals custom functionality. This may be undesirable on sites where functionality is hidden from anonymous users. e.g. intranet.

Reasons not not protect:

  • Out of the box Drupal can share its po files publicly.
droplet’s picture

droplet commented

PO files are stored in file dir in D8 which meant to be public (or private path based on your settings)

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented

Folks seem divided on whether these should be public by default, or not. #17 summarizes this issue fairly well.

areke’s picture

areke commented
Issue summary: View changes
droplet’s picture

droplet commented

2 points in #17 are pointless.

1. Drupal Core shows the version number in HTML source code as well. There's an issues about removing it but rejected by top Core developers. I don't see any reason that won't apply to modules

2. why don't save in private dir by default then ??

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Title: Remove .po protection from htaccess » Allow .po downloads from Drupal except in the configured translations directory
Status: Needs review » Needs work
Issue tags: +language-ui

@droplet: Drupal does not actually output version number of modules on your site. By probing the translations directory (sites/default/files/translations by default), scripts could collect which modules you run and which versions. While it is perfectly fine to let .po files be uploaded at other locations, the translations subdirectory used for downloading translations could pose a security risk.

Retitled according to that. That would mean that while removing the deny from the .htaccess for files, the configurable translations directory needs its own deny rule generated.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave commented
Status: Needs work » Postponed (maintainer needs more info)
Issue tags: +stale-issue-cleanup

Thank you for creating this issue to improve Drupal.

We are working to decide if this task is still relevant to a currently supported version of Drupal. There hasn't been any discussion here for over 8 years which suggests that this has either been implemented or is no longer relevant. Your thoughts on this will allow a decision to be made.

Since we need more information to move forward with this issue, the status is now Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

smustgrave’s picture

smustgrave commented
Status: Postponed (maintainer needs more info) » Needs work

This looks like it could actually still be a valid task.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.