vendor/composer/installed.json is exposed publicly #17378
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Milestone
Despite the recommended Nginx configuration explicitly denying files under
vendor/
, Matomo ends up serving up thevendor/composer/installed.json
file due to a separatevendor/.htaccess
config blurb:which is generated by this code.
It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json
The text was updated successfully, but these errors were encountered: