Currently IIS users get a web.config in the root of Drupal that tries to make Drupal behave well on IIS, but the files directory doesn't get the same treatment. It would be great for Drupal to create a Web.config that attempts to disable execution of files in the public files directory.

According to the docs it's fine to have multiple files:

Multiple configuration files, all named Web.config, can appear in multiple directories on an ASP.NET Web application server. Each Web.config file applies configuration settings to its own directory and all child directories below it.

I asked for help on what this should be in two places - http://groups.drupal.org/node/226059 and http://webmasters.stackexchange.com/questions/28733/prevent-iis-from-exe... and both seem to have created the same resulting file.

CommentFileSizeAuthor
#34 web-config-for-iis-drupal8-1543392-34.patch5.73 KBjayly
#32 web-config-for-iis-drupal8-1543392-32.patch6.08 KBjayly
#30 web-config-for-iis-drupal8-1543392-30.patch6.08 KBjayly
#30 interdiff-20-30.txt3.18 KBjayly
#20 web-config-for-iis-drupal8-1543392-20.patch5.75 KBnerdcore
#16 web-config-for-iis-drupal8-1543392-16.patch5.68 KBnerdcore
#15 web-config-for-iis-1543392-15.patch4.02 KBnerdcore
#10 windows-web.config-files-1543392-10.patch557 bytesmgifford
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

gdd’s picture

gdd
he/him
Primary language English
Location Portland, OR
CreditAttribution: gdd commented

We should also add web.config files to the config staging and active directories (similar to the htaccess files we already have there.)

hass’s picture

hass CreditAttribution: hass commented
Category: feature » bug
Priority: Normal » Critical
Issue tags: -Security improvements +Security

I'm sorry, but this is a security breach and not an improvement as noted in #1914018: hook_requirements() for un-protected configuration directories. Everyone who known the path to the public configuration directory is able to read / download the .yml files that may contain critical information to attack a system. Obfuscating a folder name with a hash does not protect the folders data.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Category: bug » feature
Priority: Critical » Normal
Issue tags: +Security improvements

Let's not derail this issue by dragging it into the other areas. If you disagree with what happened to #1914018: hook_requirements() for un-protected configuration directories it doesn't make it appropriate to hijack this issue. This is focused strictly on IIS users and after almost a year none of them have cared enough to provide work. There's no need to screw up core critical thresholds b/c of a webserver that is only partially supported now.

Please do not turn this into another game of issue-status-ping-pong. If you do I will stop following this issue and while that may let you abuse it for your purpose it won't actually help the IIS users.

Note that basically nobody uses the "security" tag while "security improvements" is used. I've left security on, but please don't remove "Security improvements."

hass’s picture

hass CreditAttribution: hass commented

My case #1914932: Config staging directory needs a .htaccess file has been highjacked. They pointed to this case here.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Title: Add a web.config to the files directory similar to the .htaccess file » Add a web.config to the several directories similar to the .htaccess file

This is indeed the place to work on a web.config file. I've broadened the topic to include the case you care about. What I'm specifically opposed to is making this a critical issue.

If you feel like you are getting bounced from issue to issue, maybe it's time to change the way you engage with the community. ;) Maybe you could work on a patch? Putting a patch on this would get it done faster than marking it critical, after all.

hass’s picture

hass CreditAttribution: hass commented

I was shocked, that config is located in a public folder. This is a design flaw out of the box as it is insecure. As long as there is discussion about design a patch makes no sense.

adriancotter’s picture

adriancotter CreditAttribution: adriancotter commented

We have implemented this -- but we are having an issue. When someone uploads a file, the file gets uploaded fine, but image styles versions like thumbnails are not being created. We don't really see why this should be the case, because the initial upload words fine. It is the subsequent creation of other files that is not happening.

Just the presence of the web.config without any settings seems to cause the problem.

Any ideas?

Heine’s picture

Heine CreditAttribution: Heine commented

> Just the presence of the web.config without any settings seems to cause the problem.

Is IIS is unable to read the web.config file it will produce an error on accessing files in the files directory.

Jim Bacon’s picture

Jim Bacon CreditAttribution: Jim Bacon commented

I have implemented the following web.config file in my files folder and can confirm that I am able to create thumbnails without any problem.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <clear />
            <add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />
        </handlers>
    </system.webServer>
</configuration>

... EDIT two years on ...
Now encountering the same problem as #7

mgifford’s picture

mgifford
he/him
Primary language English
CreditAttribution: mgifford commented
Issue summary: View changes
FileSize
windows-web.config-files-1543392-10.patch557 bytes

So something like this? What about for the private directory if one is specified?

mgifford’s picture

mgifford
he/him
Primary language English
CreditAttribution: mgifford commented
Status: Active » Needs review
greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Status: Needs review » Needs work

This would need to be generated dynamically in whatever directory they select as their files directory, similar to how the htacess feature works.

mgifford’s picture

mgifford
he/him
Primary language English
CreditAttribution: mgifford commented

Well, that's a lot more work.. Would require a bunch of changes to core/includes/file.inc

It seemed like possibly an easy fix when I rolled the patch, but ya.. We'd want this rolled out just like the .htaccess files.

Can someone get Microsoft to fund this?

The last submitted patch, 10: windows-web.config-files-1543392-10.patch, failed testing.

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented
FileSize
web-config-for-iis-1543392-15.patch4.02 KB

Here's a patch to modify file.inc to write web.config is the server is running IIS, and .htaccess otherwise.

I don't have a good IIS testing environment handy, however, so any testing others could provide would be greatly appreciated.

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented
FileSize
web-config-for-iis-drupal8-1543392-16.patch5.68 KB

Sorry. Like a total doofus I patched Drupal 7.x.

Here is a reroll of my patch in #15 for drupal-8.0.x.

mgifford’s picture

mgifford
he/him
Primary language English
CreditAttribution: mgifford commented
Status: Needs work » Needs review

Go bot go!

The last submitted patch, 15: web-config-for-iis-1543392-15.patch, failed testing.

Status: Needs review » Needs work

The last submitted patch, 16: web-config-for-iis-drupal8-1543392-16.patch, failed testing.

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented
FileSize
web-config-for-iis-drupal8-1543392-20.patch5.75 KB

Woopsie. Better check if the variable exists before checking its value...

nerdcore’s picture

nerdcore CreditAttribution: nerdcore commented
Status: Needs work » Needs review
rdy4ever’s picture

rdy4ever CreditAttribution: rdy4ever commented

Could this simple web.config work in order to deny script execution? Someone recommend it for wp-content/ulpoads of wordpress and I wonder if it could work on drupal too. 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <handlers accessPolicy="Read"/>
  </system.webServer>
</configuration>
This tells IIS that handlers (such as PHP) may only read, and not execute.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Pere Orga’s picture

Pere Orga
Primary language Catalan
CreditAttribution: Pere Orga commented

From https://www.drupal.org/docs/7/system-requirements/web-server:

Security note: Some security features are only provided for Apache and IIS through the use of .htaccess and web.config files. You are responsible for recreating these features when using a different webserver.

Meanwhile, should we change that text to something like:

Security note: Some security features are only provided for Apache and (to a lesser extent) IIS through the use of .htaccess and web.config files. You are responsible for recreating these features when not using a Apache.

I think it's giving a false impression.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles at CARD.com commented

@Pere Orga - sounds good. Please do it.

Pere Orga’s picture

Pere Orga
Primary language Catalan
CreditAttribution: Pere Orga commented

Ok done

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Munavijayalakshmi’s picture

Munavijayalakshmi CreditAttribution: Munavijayalakshmi at Valuebound commented
Status: Needs review » Needs work
Issue tags: +Needs reroll
jayly’s picture

jayly CreditAttribution: jayly commented
Version: 8.3.x-dev » 8.4.x-dev
Assigned: Unassigned » jayly
Status: Needs work » Needs review
Issue tags: -Needs reroll
FileSize
interdiff-20-30.txt3.18 KB
web-config-for-iis-drupal8-1543392-30.patch6.08 KB

I just re-rolled this patch from #20 and this seems did't work #22
And what's more I just applied patch to the version of 8.4.x.

Status: Needs review » Needs work

The last submitted patch, 30: web-config-for-iis-drupal8-1543392-30.patch, failed testing.

jayly’s picture

jayly CreditAttribution: jayly commented
Category: Feature request » Bug report
Status: Needs work » Needs review
FileSize
web-config-for-iis-drupal8-1543392-32.patch6.08 KB

Status: Needs review » Needs work

The last submitted patch, 32: web-config-for-iis-drupal8-1543392-32.patch, failed testing.

jayly’s picture

jayly CreditAttribution: jayly commented
FileSize
web-config-for-iis-drupal8-1543392-34.patch5.73 KB

The same with #20. I just applied patch to the version of 8.4.x.

jayly’s picture

jayly CreditAttribution: jayly commented
Status: Needs work » Needs review

it was not an auto merge.

First, rewinding head to replay your work on top of it...
Applying: apply web-config-for-iis-drupal8-1543392-20.patch to my local reroll-01 branch
Using index info to reconstruct a base tree...
M	core/includes/file.inc
M	core/lib/Drupal/Component/PhpStorage/FileStorage.php
Falling back to patching base and 3-way merge...
Auto-merging core/lib/Drupal/Component/PhpStorage/FileStorage.php
CONFLICT (content): Merge conflict in core/lib/Drupal/Component/PhpStorage/FileStorage.php
Auto-merging core/includes/file.inc
CONFLICT (content): Merge conflict in core/includes/file.inc
error: Failed to merge in the changes.
Patch failed at 0001 apply web-config-for-iis-drupal8-1543392-20.patch to my local reroll-01 branch
The copy of the patch that failed is found in: .git/rebase-apply/patch

When you have resolved this problem, run "git rebase --continue".
If you prefer to skip this patch, run "git rebase --skip" instead.
To check out the original branch and stop rebasing, run "git rebase --abort".

I got this when I tried to rebase after I rerolled the patch #20.
Nest I edit core/includes/file.inc and core/lib/Drupal/Component/PhpStorage/FileStorage.php files.modify the clean upstream version.

Status: Needs review » Needs work

The last submitted patch, 34: web-config-for-iis-drupal8-1543392-34.patch, failed testing.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Assigned: jayly » Unassigned
Category: Bug report » Feature request
Issue tags: +Bug Smash Initiative

Moving this back to a feature request, there was no discussion by @jayly as to why the category change occurred.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.