2

Is it safe/ok to have composer in production on a server hosting Magento?

Fabian Schmengler
  • 65,791
  • 25
  • 187
  • 421
Supersonic
  • 867
  • 2
  • 10
  • 31

2 Answers2

1

Security wise there is no problem as long as composer.json, composer.lock and the vendor directory are outside of the document root. This is the case if you use the recommended setup with pub as document root. Otherwise you should set up your web server such that there is no access to these files (e.g. Deny from all in Apache configuration)

Why it is problematic if composer files are visible from the outside

  • Information disclosure: Attackers can see exact version of all modules and libraries and easily look for known vulnerabilities
  • Potential security risks in library files: For example there was one recent exploit in PHPUnit. PHPUnit files were never supposed to be accessible from the web, but if you do not protect vendor, they are. Details: https://www.cvedetails.com/cve/CVE-2017-9841/
Fabian Schmengler
  • 65,791
  • 25
  • 187
  • 421
  • Fabian, for a Magento installation, under "document root" do you mean the root directory, where the directories "app", "bin", "dev" etc. are located? Thanks! – Supersonic Sep 06 '17 at 14:47
  • It depends. Document root is what the web server points to. It can be the Magento root directory that you refer to, but it should be the subdirectory "pub" – Fabian Schmengler Sep 06 '17 at 15:44
  • Do you mean that "composer.json" and "composer.lock" should both located in the "pub" directory, or, on the contrary, not?

    How do you protect the vendor directory? Thanks!

     – Supersonic Sep 06 '17 at 15:52
  • On the contrary. You are not supposed to move these files around. This is all about server configuration. – Fabian Schmengler Sep 06 '17 at 15:53
  • How do you protect the "vendor" directory? – Supersonic Sep 06 '17 at 15:56
  • @Supersonic as described here for "downloader": https://magento.stackexchange.com/q/16504/243 (except that deleting or renaming is not an option for vendor). But again, if your server is set up correctly with pub as the document root, you do not need to do anything. – Fabian Schmengler Sep 07 '17 at 06:52
1

To prevent directory listings (for security purposes, for example), you should remove the Indexes keyword from every Options directive in your configuration file. Or to prevent them only for a single directory, you can use:

<Directory "/">
  Options -Indexes
</Directory>
velvetInk
  • 111
  • 1