Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Problem/Motivation
htaccess prevents po format from download, so we can't share PO files. There doesn't seem to be much reason for them to be protected.
Proposed resolution
See patches below.
Remaining tasks
Decide whether or not PO format should actually be protected or not.
Reasons to protect PO format:
- A po file name reveals module names and version numbers. This may be a security risk.
- po files of custom modules reveals custom functionality. This may be undesirable on sites where functionality is hidden from anonymous users. e.g. intranet.
Reasons not not protect:
- Out of the box Drupal can share its po files publicly.
Comment | File | Size | Author |
---|---|---|---|
#16 | d7_1763068_remove-po_16.patch | 667 bytes | guillaumev |
#14 | remove-po-14.patch | 667 bytes | garphy |
#13 | 1763068-remove-po-13.patch | 667 bytes | guillaumev |
#10 | 1763068-remove-po-10.patch | 669 bytes | guillaumev |
remove-po.patch | 511 bytes | droplet | |
Comments
Comment #1
timmillwoodLooks good here!
Comment #2
webchickEr. Can I get confirmation on this from someone on the D8MI team?
Comment #3
guillaumev CreditAttribution: guillaumev commentedIs there any plan to have this patch backported to 7.x ?
Comment #4
Sutharsan CreditAttribution: Sutharsan commented@droplet, can you explain what problem we are solving here?
Comment #5
droplet CreditAttribution: droplet commentedhtacess prevents po format from download. therefore we can't share PO files.
Comment #6
Sutharsan CreditAttribution: Sutharsan commentedPlease explain the use case for sharing po's.
Comment #7
droplet CreditAttribution: droplet commentedjust want to share a po file.
l10_server shares a po file.
any reason to protect it ?
Comment #8
Sutharsan CreditAttribution: Sutharsan commentedSee this discussion back in 2006 which introduced the po extension in the .htaccess file. #105300: Protect PO files from being read over HTTP I think it is still valid.
Comment #9
droplet CreditAttribution: droplet commentedPO files named like moduleName-versionNumber.po... It telling hackers the modules version...... and there is no more commit hash included in LDO's PO files.
If someone save the password inside PO file, that's crazy. OKay, I've never assumed they won't ....
Comment #10
guillaumev CreditAttribution: guillaumev commentedJust in case someone needs a working patch for the latest version of Drupal 7...
Comment #12
jair CreditAttribution: jair commentedNeeds reroll
Comment #13
guillaumev CreditAttribution: guillaumev commentedNew patch for 7.23
Comment #14
garphy CreditAttribution: garphy commentedRerolled for D8.
@guillaumev, could you please name your d7 backport patches so it's more obvious when reading the patch filename.
Comment #15
garphy CreditAttribution: garphy commentedComment #16
guillaumev CreditAttribution: guillaumev commentedHere is a patch for Drupal 7.24.
Comment #17
Sutharsan CreditAttribution: Sutharsan commentedI think this summarises the arguments:
Reasons to protect PO format:
Reasons not not protect:
Comment #18
droplet CreditAttribution: droplet commentedPO files are stored in file dir in D8 which meant to be public (or private path based on your settings)
Comment #19
jhedstromFolks seem divided on whether these should be public by default, or not. #17 summarizes this issue fairly well.
Comment #20
areke CreditAttribution: areke commentedComment #21
droplet CreditAttribution: droplet commented2 points in #17 are pointless.
1. Drupal Core shows the version number in HTML source code as well. There's an issues about removing it but rejected by top Core developers. I don't see any reason that won't apply to modules
2. why don't save in private dir by default then ??
Comment #22
Gábor Hojtsy@droplet: Drupal does not actually output version number of modules on your site. By probing the translations directory (sites/default/files/translations by default), scripts could collect which modules you run and which versions. While it is perfectly fine to let .po files be uploaded at other locations, the translations subdirectory used for downloading translations could pose a security risk.
Retitled according to that. That would mean that while removing the deny from the .htaccess for files, the configurable translations directory needs its own deny rule generated.