Index: includes/file.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/file.inc,v retrieving revision 1.39.2.12 diff -u -p -r1.39.2.12 file.inc --- includes/file.inc 12 Apr 2006 17:23:29 -0000 1.39.2.12 +++ includes/file.inc 25 May 2006 00:58:22 -0000 @@ -105,6 +105,17 @@ function file_check_directory(&$director } } + if ((variable_get('file_directory_temp', FILE_DIRECTORY_TEMP) == $directory || variable_get('file_directory_path', 'files') == $directory) && !is_file("$directory/.htaccess")) { + if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, 'SetHandler This_is_a_Drupal_security_line_do_not_remove')) { + fclose($fp); + } + else { + $message = t("Security warning: Couldn't write .htaccess. Please create a .htaccess file in your %directory directory which contains the following line: SetHandler This_is_a_Drupal_security_line_do_not_remove", array('%directory' => $directory)); + form_set_error($form_item, $message); + watchdog('file system', $message, WATCHDOG_ERROR); + } + } + return true; } Index: INSTALL.txt =================================================================== RCS file: /cvs/drupal/drupal/INSTALL.txt,v retrieving revision 1.17.2.3 diff -u -p -r1.17.2.3 INSTALL.txt --- INSTALL.txt 23 Apr 2005 05:07:49 -0000 1.17.2.3 +++ INSTALL.txt 25 May 2006 01:09:59 -0000 @@ -189,6 +189,13 @@ INSTALLATION by the Drupal server process. You can change the name of this subdirectory at "Administer > Settings > File system settings". + SECURITY NOTICE: Certain Apache configurations can be vulnerable + to a security exploit allowing arbitrary code execution. Drupal + will attempt to automatically create a .htaccess file in your + "files" directory to protect you. If you already have a .htaccess + file in that location, please add the following line: + SetHandler This_is_a_Drupal_security_line_do_not_remove + You can now launch your browser and point it to your Drupal site. Create an account and login. The first account will automatically