As I was working on documentation today, I noticed that if I've disabled advanced help access to certain users on my site via user permissions (because I don't want them to see the docs), the documents are still available if said users were to type the exact path to the help file, e.g. /sites/all/modules/contrib/advanced_help/help/ini-file.html. This appears to be a security problem?

I didn't find any mention of this in the documentation.

The feature request is to outline this in the instructions of the module, and suggest how users can get around the issue.

I added a .htaccess file with a Deny from all line in it to my module's help folder.

Thank you.

Comments

cweagans’s picture

cweagans
He/Him
Primary language English
Location Boise, ID, USA
CreditAttribution: cweagans commented
Issue summary: View changes

This really isn't a security problem. You're storing documentation as flat html files on a web server. There's not really a lot you can do about the fact that the web server will serve HTML, unless you explicitly tell it not to (as you have done with your .htaccess fix). That said, it might be a good idea to document this in the README or something so that people will be aware of it.

Also, if you come across an issue you think might be a security problem, you should report it to the security team instead of in a public issue. See https://drupal.org/security-team for details.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle commented

Well, these are plain HTML-files. They can be accessed, as any HTML-file on a Drupal site can be accessed, by anyone who knows or is able to guess the URL. This access is not something that happens through Advanced help (or even Drupal), they can be accessed because the default web-server configuration of a typical Drupal site permits this type of access. For that reason, I do not consider this a security vulnerability.

However, as you both point out, you can stop people from accessing these files directly, forcing access through Drupal. Having this:

<Files *\.html>
Order Allow,Deny
Deny from all
</Files>

in a .htaccess in the project's help directory should disallow this type access.

It as the responsibility of the project author to make sure this type of protection is in place if the project's author has files in the project directory that merits protection from direct access.

  • gisle committed e130614 on 7.x-1.x 
    Issue #1980936 by gisle: Added .htaccess to repo

  • gisle committed 852d227 on 7.x-1.x 
    Issue #1980936 by gisle: Added documentation about the use of .htaccess
gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle commented
Status: Active » Reviewed & tested by the community

  • gisle committed 560aedf on 7.x-1.x 
    Issue #1980936 by gisle: Cleaned up project's own documentation
gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle commented
Related issues: +#384586: top navigation bar does not respect navigation value in ini

Adding a related issue.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle commented
Status: Reviewed & tested by the community » Fixed
gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle commented
Version: 7.x-1.0 » 7.x-1.2

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

gisle’s picture

gisle
he/him
Primary language Norwegian Bokmål
Location Norway
CreditAttribution: gisle commented
Version: 7.x-1.2 » 8.x-1.x-dev

A default .htaccess has been added to the latest snaphot of 8.x-1.x-dev.

Should be backported to Drupal 7.