--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php	Wed Nov 29 16:09:58 2017 +0000
@@ -0,0 +1,154 @@
+<?php
+
+namespace Drupal\system\Tests\System;
+
+use Drupal\simpletest\WebTestBase;
+
+/**
+ * Tests .htaccess is working correctly.
+ *
+ * @group system
+ */
+class HtaccessTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = ['node', 'path'];
+
+  /**
+   * Get an array of file paths for access testing.
+   *
+   * @return int[]
+   *   An array keyed by file paths. Each value is the expected response code,
+   *   for example, 200 or 403.
+   */
+  protected function getProtectedFiles() {
+    $path = drupal_get_path('module', 'system') . '/tests/fixtures/HtaccessTest';
+
+    // Tests the FilesMatch directive which denies access to certain file
+    // extensions.
+    $file_exts_to_deny = [
+      'engine',
+      'inc',
+      'install',
+      'make',
+      'module',
+      'module~',
+      'module.bak',
+      'module.orig',
+      'module.save',
+      'module.swo',
+      'module.swp',
+      'php~',
+      'php.bak',
+      'php.orig',
+      'php.save',
+      'php.swo',
+      'php.swp',
+      'profile',
+      'po',
+      'sh',
+      'sql',
+      'theme',
+      'twig',
+      'tpl.php',
+      'xtmpl',
+      'yml',
+    ];
+
+    foreach ($file_exts_to_deny as $file_ext) {
+      $file_paths["$path/access_test.$file_ext"] = 403;
+    }
+
+    // Tests the .htaccess file in vendor and created by a Composer script.
+    // Try and access a non PHP file in the vendor directory.
+    // @see Drupal\\Core\\Composer\\Composer::ensureHtaccess
+    $file_paths['vendor/composer/installed.json'] = 403;
+
+    // Tests the rewrite conditions and rule that denies access to php files.
+    $file_paths['core/lib/Drupal.php'] = 403;
+    $file_paths['vendor/autoload.php'] = 403;
+    $file_paths['autoload.php'] = 403;
+
+    // Test extensions that should be permitted.
+    $file_exts_to_allow = [
+      'php-info.txt'
+    ];
+
+    foreach ($file_exts_to_allow as $file_ext) {
+      $file_paths["$path/access_test.$file_ext"] = 200;
+    }
+
+    // Ensure composer.json and composer.lock cannot be accessed.
+    $file_paths["$path/composer.json"] = 403;
+    $file_paths["$path/composer.lock"] = 403;
+
+    return $file_paths;
+  }
+
+  /**
+   * Iterates over protected files and calls assertNoFileAccess().
+   */
+  public function testFileAccess() {
+    foreach ($this->getProtectedFiles() as $file => $response_code) {
+      $this->assertFileAccess($file, $response_code);
+    }
+
+    // Test that adding "/1" to a .php URL does not make it accessible.
+    $this->drupalGet('core/lib/Drupal.php/1');
+    $this->assertResponse(403, "Access to core/lib/Drupal.php/1 is denied.");
+
+    // Test that it is possible to have path aliases containing .php.
+    $type = $this->drupalCreateContentType();
+
+    // Create an node aliased to test.php.
+    $node = $this->drupalCreateNode([
+      'title' => 'This is a node',
+      'type' => $type->id(),
+      'path' => '/test.php'
+    ]);
+    $node->save();
+    $this->drupalGet('test.php');
+    $this->assertResponse(200);
+    $this->assertText('This is a node');
+
+    // Update node's alias to test.php/test.
+    $node->path = '/test.php/test';
+    $node->save();
+    $this->drupalGet('test.php/test');
+    $this->assertResponse(200);
+    $this->assertText('This is a node');
+  }
+
+  /**
+   * Asserts that a file exists and requesting it returns a specific response.
+   *
+   * @param string $path
+   *   Path to file. Without leading slash.
+   * @param int $response_code
+   *   The expected response code. For example: 200, 403 or 404.
+   *
+   * @return bool
+   *   TRUE if the assertion succeeded, FALSE otherwise.
+   */
+  protected function assertFileAccess($path, $response_code) {
+    $result = $this->assertTrue(file_exists(\Drupal::root() . '/' . $path), "The file $path exists.");
+    $this->drupalGet($path);
+    $result = $result && $this->assertResponse($response_code, "Response code to $path is $response_code.");
+    return $result;
+  }
+
+  /**
+   * Tests that SVGZ files are served with Content-Encoding: gzip.
+   */
+  public function testSvgzContentEncoding() {
+    $this->drupalGet('core/modules/system/tests/logo.svgz');
+    $this->assertResponse(200);
+    $header = $this->drupalGetHeader('Content-Encoding');
+    $this->assertEqual($header, 'gzip');
+  }
+
+}