You can go two ways to not have those security issues.
1) Do not store the .xml file on the webserver.
Propel has a command config:convert-xml
which converts your xml file into a php file - which can't read from http clients.
config
config:convert-xml Transform the XML configuration to PHP code leveraging the ServiceContainer
So just store the xml file in your VCS repo, but delete it on your webserver and generate a php config which you then include in your main index.php.
or
2) Change the entry point of your website.
If you have structure like this:
.
├── composer.json
├── generated-classes/
├── generated-conf/
│ └── config.php
├── src/
│ ├── buildtime-conf.xml
│ ├── runtime-conf.xml
│ └── schema.xml
├── vendor/
│ ├── autoload.php
│ ├── ...
└── web/
└── index.php
And for example point your Apache to ./web/
instead of ./
then it's not possible to access all other files then in the ./web/
folder. Of course in your index.php
are then include statements with /../
:
include __DIR__ . '/../vendor/autoload.php';