.htaccess in files directory
druppi - May 28, 2007 - 10:14
| Project: | Drupal |
| Version: | 5.1 |
| Component: | file system |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | by design |
Description
With the generated .htaccess file in the files directory the files in this directory become unaccessible. My webhoster is Strato. The .htaccess initially reads:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinksUncommenting the first line as in
# SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinkssolves the problem.
I have searched the docs for the meaning of
SetHandler and found out that there must be a corresponding Action directive in this .htaccess or in a .htaccess in any upper directory. As it is now, Apache does not know the handler and returns an error (i.e. the required images are not loaded).
My questions are: where is the handler to be used defined? Is it a security issue to do without the SetHandler?
Regards,
Wilfried
#1
Sorry, forgot some technical details:
PHP 5.2.2
Apache/1.3.31 (Unix)
wilfried
#2
I got a similar issue with my site5.com hosting plan.
subscribing until I've investigated this closer.
#3
removing that isn't a good idea, see the security advisory it references: http://drupal.org/node/65409
#4
even uncommenting the first line doesn't make the files accessible to me.
I try to get the image module showing me some images on strato...
#5
I get the same error, because my server doesn't have AllowOverride FileInfo turned on (and I don't have access to change that).
This code seems to be cruft left over from the security revision:
http://drupal.org/node/66763
The fix described in DRUPAL-SA-2006-007 seems to be in upload.module, so this part should be removed
and that's what the patch does.
For the initial poster, you can apply the patch, or ask your Apache server admin to give you AllowOverride FileInfo access.
#6
any news about this?
#7
To summarize:
The vulnerability was that uploading files with a '.php' extension, for instance could be uploaded and then run.
1. DRUPAL-SA-2006-006, the original solution, created .htaccess files with
SetHandlerso php files would not be run.However!
2. DRUPAL-SA-2006-007 (original text), realized that the .htaccess file crippled all access to the upload directory on apache configurations where SetHandler is not allowed in .htaccess.
3. So, SA-2006-007's fix was INSTEAD to change dangerous extensions so that the prefix gained an '_' like s/.php/._php/g. This removed the requirement for the SetHandler fix.
4. The upload.module does #3, but for some reason the code to create .htaccess files is STILL in drupal core's file.inc.
5. Therefore, the offending code must be removed. (see patch above)
#8
Actually the .htaccess code was left in place because there may already have been files with such dangerous extensions, uploaded in the past. Renaming the files on upload only fixes things for newly uploaded files.
If for some reason your host does not allow you to override these options in .htaccess, you can create an empty .htaccess file in that directory. That will prevent drupal from creating one. But you should read the SAs so that you are aware of the possible security implications. You don't want a quick fix like this and have your site hacked a week later ;)
Note that the problematic filenames aren't things like ".php" because those shouldn't be allowed to be uploaded, but filenames like ".php.txt" which get executed as PHP in many configurations.