Posted by HJulien on March 15, 2015 at 9:57pm
I am getting this error on the Status report:
Public files directory Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the sites/default/files directory to help protect against arbitrary code execution.
The http://drupal.org/SA-CORE-2013-003 page is overloaded and as clear to me as mud.
Am I supposed to copy the htaccess file under public_html into this folder or the one in the/public_html/tmp/ folder? They're different.
Just to be sure it's a copy, not a move? And if you know exactly what settings need to be changed, you're a genius!
Comments
Don't copy ...
Defintely, do not copy the .htaccess from Drupal's root directory to the files directory.
There should be a new .htaccess under site/default/files with the following in it:
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
This should be created automatically for you if the premissions on the directory allow the web server write access to this directory.
Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.
There is no htaccess file in sites/default/files
Hi Khalid!
Thank you for replying! The problem exists because there isn't a file in this folder so I don't have a base to start with. I just downloaded a new zip file of 7.34 and it's not there. Maybe this is a core issue?
Drupal creates it ...
That file is not part of the Drupal .tar/.zip file, because it gets created dynamically.
I am guessing that the permissions for sites/default/files is not writable to the web server user, and therefore Drupal cannot create that file for you automatically.
To overcome the error manually, copy the code I posted earlier and creater a new .htaccess in sites/default/files.
And then investigate who owns sites/default/files and make that the web server user, or make it writable to that user.
Drupal performance tuning, development, customization and consulting: 2bits.com, Inc..
Personal blog: Baheyeldin.com.
Thank you! Will do.
Thank you! Will do.
For future reference, common
For future reference, common permission values for sites/default/files can be either 744 or 755.
--
Lyemium
Thanks!
Thanks!