@fmarier opened this Issue on March 23rd 2021

Despite the recommended Nginx configuration explicitly denying files under vendor/, Matomo ends up serving up the vendor/composer/installed.json file due to a separate vendor/.htaccess config blurb:

# Allow to serve static files which are safe
<Files ~ "\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$">
        Require all granted
</Files>

which is generated by this code.

It would be preferable to keep that file private since it reveals exact versions of packages installed on a server. For example: https://demo.matomo.cloud/vendor/composer/installed.json

@Findus23 commented on March 23rd 2021 Member

At least in the nginx config this was intentional. I ordered the blocks so that in ~ ^/(config|tmp|core|lang) every request is blocked while in ~ ^/(libs|vendor|plugins|misc/user|node_modules) the static files you list are allowed.

I don't think the composer/installed.json is any issue as everyone can also see it publicly on this repository or download it from the matomo.zip. But it might not be necessary to share the vendor/ directory, so you can try out to move it to the other block (or change the .htaccess) and see if anything breaks.

@tsteur commented on March 23rd 2021 Member

We could simply exclude it from the release zip as discussed (also similar files) and in general any composer.json, installed.json, package json...

@sgiehl commented on March 25th 2021 Member

actually composer.json and package.json are already removed. Seems only installed.json is missing. Will prepare a PR to fix this.

This Issue was closed on March 25th 2021
Powered by GitHub Issue Mirror