Drupal 7.24: .htaccess modifications for private and temp folders
To prevent code execution it is recommended to modify the .htaccess files for the files folder, private files folder, and tmp folder. The location for these are defined in admin/config/media/file-system. According to SA-CORE-2013-003 the .htaccess contents for the files folder should read:
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>Then the instruction below that reads:
Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:
Deny from all
To me, it appeared that it would be sufficient to add this line to the .htaccess files already present but the status screen displayed the following errors:
Private files directory
Not fully protectedand
Temporary files directory
Not fully protectedAfter I modified the .htaccess for both the private and tmp folder so that the content is the same as for the main files folder, plus the added deny statement the errors disappeared:
Private folder:
SetHandler This_is_a_Drupal_security_line_do_not_remove
Deny from all
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>Tmp folder:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>
# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
php_flag engine off
</IfModule>
Comments
I found this posting after updating my .htaccess in the tmp folder.
I've even copied and pasted the code from here.
But I am still getting the same security warning on the Status Report. Any suggestions?
There are others also reporting issues after modifying the .htaccess files. Check out this Drupal post, in particular regarding the location of your temp folder: https://drupal.org/node/2140629
Also see this post: http://drupal.org/node/2141065
Pay close attention to
tmpv./tmpv../tmp. You're not alone but if this doesn't help I don't really have an answer.