D7.34 Status Report flags .htaccess required in sites/default/files

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
HJulien's picture
Posted by HJulien on March 15, 2015 at 9:57pm

I am getting this error on the Status report:

Public files directory Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the sites/default/files directory to help protect against arbitrary code execution.

The http://drupal.org/SA-CORE-2013-003 page is overloaded and as clear to me as mud.

Am I supposed to copy the htaccess file under public_html into this folder or the one in the/public_html/tmp/ folder? They're different.

Just to be sure it's a copy, not a move? And if you know exactly what settings need to be changed, you're a genius!

Categories:

Comments

Don't copy ...

Posted by kbahey on March 15, 2015 at 10:30pm
kbahey's picture

Defintely, do not copy the .htaccess from Drupal's root directory to the files directory.

There should be a new .htaccess under site/default/files with the following in it:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

This should be created automatically for you if the premissions on the directory allow the web server write access to this directory.

Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.

There is no htaccess file in sites/default/files

Posted by HJulien on March 17, 2015 at 12:16am
HJulien's picture

Hi Khalid!

Thank you for replying! The problem exists because there isn't a file in this folder so I don't have a base to start with. I just downloaded a new zip file of 7.34 and it's not there. Maybe this is a core issue?

Drupal creates it ...

Posted by kbahey on March 17, 2015 at 12:42am
kbahey's picture

That file is not part of the Drupal .tar/.zip file, because it gets created dynamically.

I am guessing that the permissions for sites/default/files is not writable to the web server user, and therefore Drupal cannot create that file for you automatically.

To overcome the error manually, copy the code I posted earlier and creater a new .htaccess in sites/default/files.

And then investigate who owns sites/default/files and make that the web server user, or make it writable to that user.

Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.

Thank you! Will do.

Posted by HJulien on March 17, 2015 at 2:10am
HJulien's picture

Thank you! Will do.

For future reference, common

Posted by _gramur on March 17, 2015 at 3:47pm
_gramur's picture

For future reference, common permission values for sites/default/files can be either 744 or 755.

--

Lyemium

Thanks!

Posted by HJulien on March 19, 2015 at 1:31am
HJulien's picture

Thanks!