htaccess file in /files

Posted by danmurf on July 24, 2007 at 6:28am

The htaccess file in my /files directory is causing me all sorts of havoc - it seems my host (fasthosts) have locked down htaccess to only be able to use security, so no mod rewrite etc. The problem is, if I delete that file it's automatically created again by Drupal (clever stuff, but it's stopping my site working). Before I switch host, does anyone know if it's necessary to have the htaccess file there, and also, is there any way of stopping it being recreated by Drupal?

Many thanks

Comments

did you try...

Posted by dman on July 24, 2007 at 12:03pm

The clever thing there just checks that it exists, not what's in it.

Don't delete it, just delete or comment the line in it and leave the file :)

(I think it was documented in the issue it refers to)

.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/

_{.dan. is the New Zealand Drupal Developer working on Government Web Standards}

Cheers Dan - worked a charm!

Posted by danmurf on July 24, 2007 at 6:49pm

Cheers Dan - worked a charm!

i'm having the same trouble.

Posted by scorecomms on August 23, 2007 at 8:28am

i'm having the same trouble. The thing si, when i try to delete the .htaccess file off the server it won't let me.

It also won't let me edit the file locally and upload it to replace the file. What do i do?

First, the files/.htaccess

Posted by dman on August 23, 2007 at 1:10pm

First, the files/.htaccess file shouldn't be breaking anything, it doesn't use any permissions, it just STOPS user-uploaded files from ever executing.

You should be able to just replace it with an empty text file, if that's your intention.

I don't know what 'it' is that won't let you edit your own files, but I suspect it's your OS.
Get a text editor - not notepad - to create your text file, save as 'all files' not *.txt.
Show file suffixes if it won't let you name the file to begin with a dot. I think you can SAVE AS a .htaccess, although if you are in beginner-mode you can't RENAME TO it.

.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/

_{.dan. is the New Zealand Drupal Developer working on Government Web Standards}

Thanks, Dan. That worked.

Posted by seul on February 5, 2008 at 12:04pm

Thanks, Dan. That worked.

I am setting up a website for a German university, and the server I'm forced to work with insists on going haywire (500 - internal server error) whenever there is a .htaccess file with any content whatsoever. The only things it does seem to tolarate are

authtype basic
authname "Something"
authuserfile /a/path/they/give-you
require valid-user

I do not feel comfortable with no .htaccess in my root directory and an empty .htaccess in ./files/, do you (or does anybody) know if I make the site very vulnerable through this?

The additional trouble is that they seem to run apache 2.0.55 and MySQL 4.0.18.

If someone finds a way of

Posted by dman on February 5, 2008 at 11:05pm

If someone finds a way of uploading a *.php file as an attachment to their posts - then retrieving it again may EXECUTE that script. This is a vulnerability that the files/.htaccess was there to prevent.

However, the list of allowable filetypes (upload settings) should filter that for you.

other bits in the top-level .htaccess (if you read the file) try to stop folk from snooping inside code folders, but there's not a lot of harm that I know of there. But still, it's a bit of unwanted exposure.

This problem comes down to your host server not allowing
AllowOverride All
which is the desired environment. You need co-operation from the sysadmin - after all you are trying to be secure on their server, not leave it open to exploits!

.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/

_{.dan. is the New Zealand Drupal Developer working on Government Web Standards}

Thanks a lot for your reply,

Posted by seul on February 9, 2008 at 10:31pm

Thanks a lot for your reply, it cleared away some fog for me.

I'm afraid I can't expect much co-operation from the admin. When I called him about some trouble with the server he delivered half an hour of a speech to convince me to use their commercial CMS. When, after he was done, I said I'd still prefer Drupal he said "Bye" and hung up in my face.

So I guess I'll have to leave them without .htaccess. At least I learned a lot here.

Cheers,
seul

Again I was having a similar

Posted by danmurf on August 28, 2007 at 8:51am

Again I was having a similar problem - it seems that some files that are created by php scripts (like the htaccess file) can't be deleted by some FTP accounts, so you need root access to delete the file or reset the permissions so your normal ftp account can. If you're on shared hosting this can be quite a pain, but I found if you use a php file manager (like File Thingie - http://www.solitude.dk/filethingie/) you can delete unwanted files from a php script, allowing you to delete/change other files created by php scripts (not uploaded via your normal FTP account).

As Dan mentioned above, some text editors won't work with files beginning with '.', so either download a more functional text editor (Notepad++ is one of my favourites - http://notepad-plus.sourceforge.net/) or rename the file to htaccess.txt, then edit, save, upload, and rename the file back to .htaccess through your FTP client.