mrjmd
diff --git a/‎.htaccess
+1-1 b/‎.htaccess
+1-1
diff --git a/‎core/modules/system/src/Tests/System/HtaccessTest.php
+5 b/‎core/modules/system/src/Tests/System/HtaccessTest.php
+5
diff --git a/‎core/modules/system/tests/fixtures/HtaccessTest/composer.json b/‎core/modules/system/tests/fixtures/HtaccessTest/composer.json
diff --git a/‎core/modules/system/tests/fixtures/HtaccessTest/composer.lock b/‎core/modules/system/tests/fixtures/HtaccessTest/composer.lock
diff --git a/‎web.config
+1-1 b/‎web.config
+1-1
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
 
@@ -86,6 +86,11 @@ protected function getProtectedFiles() {
     foreach ($file_exts_to_allow as $file_ext) {
       $file_paths["$path/access_test.$file_ext"] = 200;
     }
+
+    // Ensure composer.json and composer.lock cannot be accessed.
+    $file_paths["$path/composer.json"] = 403;
+    $file_paths["$path/composer.lock"] = 403;
+
     return $file_paths;
   }
 
 
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock))$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`#`
`4`	`4`
`5`	`5`	`# Protect files and directories from prying eyes.`
`6`		`-<FilesMatch "\.(engine\|inc\|install\|make\|module\|profile\|po\|sh\|.sql\|theme\|twig\|tpl(\.php)?\|xtmpl\|yml)(~\|\.sw[op]\|\.bak\|\.orig\|\.save)?$\|^(\..\|Entries.\|Repository\|Root\|Tag\|Template)$\|^#.#$\|\.php(~\|\.sw[op]\|\.bak\|\.orig\|\.save)$">`
	`6`	`+<FilesMatch "\.(engine\|inc\|install\|make\|module\|profile\|po\|sh\|.sql\|theme\|twig\|tpl(\.php)?\|xtmpl\|yml)(~\|\.sw[op]\|\.bak\|\.orig\|\.save)?$\|^(\..\|Entries.\|Repository\|Root\|Tag\|Template\|composer\.(json\|lock))$\|^#.#$\|\.php(~\|\.sw[op]\|\.bak\|\.orig\|\.save)$">`
`7`	`7`	`<IfModule mod_authz_core.c>`
`8`	`8`	`Require all denied`
`9`	`9`	`</IfModule>`
Original file line number	Diff line number	Diff line change
`@@ -86,6 +86,11 @@ protected function getProtectedFiles() {`
`86`	`86`	`foreach ($file_exts_to_allow as $file_ext) {`
`87`	`87`	`$file_paths["$path/access_test.$file_ext"] = 200;`
`88`	`88`	`}`
	`89`	`+`
	`90`	`+ // Ensure composer.json and composer.lock cannot be accessed.`
	`91`	`+ $file_paths["$path/composer.json"] = 403;`
	`92`	`+ $file_paths["$path/composer.lock"] = 403;`
	`93`	`+`
`89`	`94`	`return $file_paths;`
`90`	`95`	`}`
`91`	`96`