Problem/Motivation

htaccess prevents po format from download, so we can't share PO files. There doesn't seem to be much reason for them to be protected.

Proposed resolution

See patches below.

Remaining tasks

Decide whether or not PO format should actually be protected or not.

Reasons to protect PO format:

  1. A po file name reveals module names and version numbers. This may be a security risk.
  2. po files of custom modules reveals custom functionality. This may be undesirable on sites where functionality is hidden from anonymous users. e.g. intranet.

Reasons not not protect:

  1. Out of the box Drupal can share its po files publicly.
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

timmillwood’s picture

Status: Needs review » Reviewed & tested by the community

Looks good here!

webchick’s picture

Status: Reviewed & tested by the community » Needs review
Issue tags: +D8MI

Er. Can I get confirmation on this from someone on the D8MI team?

guillaumev’s picture

Is there any plan to have this patch backported to 7.x ?

Sutharsan’s picture

@droplet, can you explain what problem we are solving here?

droplet’s picture

htacess prevents po format from download. therefore we can't share PO files.

Sutharsan’s picture

Please explain the use case for sharing po's.

droplet’s picture

just want to share a po file.
l10_server shares a po file.

any reason to protect it ?

Sutharsan’s picture

See this discussion back in 2006 which introduced the po extension in the .htaccess file. #105300: Protect PO files from being read over HTTP I think it is still valid.

droplet’s picture

PO files named like moduleName-versionNumber.po... It telling hackers the modules version...... and there is no more commit hash included in LDO's PO files.

If someone save the password inside PO file, that's crazy. OKay, I've never assumed they won't ....

guillaumev’s picture

FileSize
669 bytes

Just in case someone needs a working patch for the latest version of Drupal 7...

Status: Needs review » Needs work

The last submitted patch, 1763068-remove-po-10.patch, failed testing.

jair’s picture

Issue tags: +Needs reroll

Needs reroll

guillaumev’s picture

FileSize
667 bytes

New patch for 7.23

garphy’s picture

Issue tags: -Needs reroll
FileSize
667 bytes

Rerolled for D8.
@guillaumev, could you please name your d7 backport patches so it's more obvious when reading the patch filename.

garphy’s picture

Status: Needs work » Needs review
guillaumev’s picture

Issue summary: View changes
FileSize
667 bytes

Here is a patch for Drupal 7.24.

Sutharsan’s picture

I think this summarises the arguments:

Reasons to protect PO format:

  • A po file name reveals module names and version numbers. This may be a security risk.
  • po files of custom modules reveals custom functionality. This may be undesirable on sites where functionality is hidden from anonymous users. e.g. intranet.

Reasons not not protect:

  • Out of the box Drupal can share its po files publicly.
droplet’s picture

PO files are stored in file dir in D8 which meant to be public (or private path based on your settings)

jhedstrom’s picture

Folks seem divided on whether these should be public by default, or not. #17 summarizes this issue fairly well.

areke’s picture

Issue summary: View changes
droplet’s picture

2 points in #17 are pointless.

1. Drupal Core shows the version number in HTML source code as well. There's an issues about removing it but rejected by top Core developers. I don't see any reason that won't apply to modules

2. why don't save in private dir by default then ??

Gábor Hojtsy’s picture

Title: Remove .po protection from htaccess » Allow .po downloads from Drupal except in the configured translations directory
Status: Needs review » Needs work
Issue tags: +language-ui

@droplet: Drupal does not actually output version number of modules on your site. By probing the translations directory (sites/default/files/translations by default), scripts could collect which modules you run and which versions. While it is perfectly fine to let .po files be uploaded at other locations, the translations subdirectory used for downloading translations could pose a security risk.

Retitled according to that. That would mean that while removing the deny from the .htaccess for files, the configurable translations directory needs its own deny rule generated.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.