Enabling "Optimize CSS" and "Optimize JS" causes the CSS or JS files to not be used. I'm using SeaMonkey 1.1.8. Clearing Cache didn't help.

Comments

robloach’s picture

robloach
he/him
commented
Version: 6.1 » 7.x-dev

Make sure your files directory is setup correctly? Moving it to Drupal 7 because if this is a bug in Drupal 6, it'll be a bug in Drupal 7 too. I haven't had this problem.

Anonymous’s picture

Anonymous (not verified) commented
Version: 7.x-dev » 6.1

The admin/reports/status shows "File system" as "Writable (public download method)". Moving back to 6.1 since that is where I have the issue.

Anonymous’s picture

Anonymous (not verified) commented

Oh, I should mention:

MySQL database 5.0.27
PHP 5.2.1
Web server Apache/2.2.0 (Fedora) DAV/2 PHP/5.2.1 SVN/1.4.3

robloach’s picture

robloach
he/him
commented

What theme are you using?

Anonymous’s picture

Anonymous (not verified) commented

The default garland theme. I can give access upon request, it is a development system.

hilappa’s picture

hilappa commented

I'm having the same problem. The sites/default/files directory is writable, drupal creates the optimized css file in the directory alright, but the .htaccess file prevents access to it.

Commenting the following lines in .htaccess solves the problem. Apparently this causes security issues?

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None

Anonymous’s picture

Anonymous (not verified) commented

@hilappa, thanks for the info. I've alerted the security team to this issue. The associated node for the alert is http://drupal.org/node/66763.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented

Yeah, uncommenting that line is definitely a "bad idea" in terms of security as that advisory mentions.

That said, I'm not sure what other solutions there are for your situation. I guess it is an apache configuration problem and you'll need to experiment with more apache options.

Anonymous’s picture

Anonymous (not verified) commented

For me it is a mod-security issue. But what? :( Commenting the .htaccess had null effect for me.

Log Data

--570d3129-A--
[20/Mar/2008:16:36:15 --0400] UjYMbX8AAAEAAGTxPv4AAAAJ x.x.141.45 42428 69.5.75.49 80
--570d3129-B--
GET /sites/drupal6.give-me-an-offer.com/files/css/e857cff00abf494952260cea7c63a731.css HTTP/1.1
Host: drupal6.give-me-an-offer.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 SeaMonkey/1.1.8
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1252,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://drupal6.give-me-an-offer.com/admin/settings/performance
Cookie: SESSfe6577617f11a6fcca02e511f6bca0cc=3aaf9f8f17c1ddc3545e8d8c79ba44e2; SESS1a286663472da9da428480d045f71b81=99472848777fd856eed62fec0e3ef4c4; SESS0844ac3159de1d105f38512d6cd90a3e=dd13a2715fc77e2fcfb1ef9399a76657; SESS26de49b7d3dc8d095260dbc3cf163fa2=e2cfdd30157489612759b2e8f4413324; SESSb3cb240c627c0d56e9e5f1b5085cf30d=430f0420d0a3ae6cda199354d86c1898

--570d3129-F--
HTTP/1.1 403 Forbidden
Content-Length: 402
Connection: close
Content-Type: text/html; charset=iso-8859-1

--570d3129-H--
Apache-Error: [file "/depot/src/httpd-2.2.4/modules/aaa/mod_authz_host.c"] [line 299] [level 3] client denied by server configuration: /home/webadmin/devshop/local/drupal-sites/6.x/drupal6.give-me-an-offer.com/files/css/e857cff00abf494952260cea7c63a731.css, referer: http://drupal6.give-me-an-offer.com/admin/settings/performance
Stopwatch: 1206045375859821 40219 (- - -)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7a

--570d3129-Z--

--35b21f5b-A--
[20/Mar/2008:16:36:16 --0400] UjhXDn8AAAEAAD7aGyQAAAAG x.x.141.45 42432 69.5.75.49 80
--35b21f5b-B--
GET /sites/drupal6.give-me-an-offer.com/files/css/880131c0af452d43403b73584a09d4ae.css HTTP/1.1
Host: drupal6.give-me-an-offer.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12) Gecko/20080201 SeaMonkey/1.1.8
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1252,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://drupal6.give-me-an-offer.com/admin/settings/performance
Cookie: SESSfe6577617f11a6fcca02e511f6bca0cc=3aaf9f8f17c1ddc3545e8d8c79ba44e2; SESS1a286663472da9da428480d045f71b81=99472848777fd856eed62fec0e3ef4c4; SESS0844ac3159de1d105f38512d6cd90a3e=dd13a2715fc77e2fcfb1ef9399a76657; SESS26de49b7d3dc8d095260dbc3cf163fa2=e2cfdd30157489612759b2e8f4413324; SESSb3cb240c627c0d56e9e5f1b5085cf30d=430f0420d0a3ae6cda199354d86c1898

--35b21f5b-F--
HTTP/1.1 403 Forbidden
Content-Length: 402
Connection: close
Content-Type: text/html; charset=iso-8859-1

--35b21f5b-H--
Apache-Error: [file "/depot/src/httpd-2.2.4/modules/aaa/mod_authz_host.c"] [line 299] [level 3] client denied by server configuration: /home/webadmin/devshop/local/drupal-sites/6.x/drupal6.give-me-an-offer.com/files/css/880131c0af452d43403b73584a09d4ae.css, referer: http://drupal6.give-me-an-offer.com/admin/settings/performance
Stopwatch: 1206045376009998 578 (- - -)
Producer: ModSecurity v2.1.1 (Apache 2.x)
Server: Apache/2.2.4 (Unix) mod_ssl/2.2.4 OpenSSL/0.9.7a

--35b21f5b-Z--

modsecurity_crs_50_outbound.conf

SecRule RESPONSE_BODY "\b403 forbidden\b\W*?\binternet security and acceleration server\b" \
        "ctl:auditLogParts=+E,log,auditlog,msg:'ISA server existence revealed',id:'970010',severity:'4'"

SecRule RESPONSE_BODY "\b<o:documentproperties>\b" \
        "log,auditlog,msg:'Microsoft Word document properties leakage',id:'970012',severity:'4'"

SecRule RESPONSE_BODY "(?:>\[to parent directory\]<\/a><br>|<title>index of.*?<h1>index of)" \
        "ctl:auditLogParts=+E,deny,log,auditlog,status:403,msg:'Directory Listing',id:'970013',severity:'4'"

The above configuration is then only 403 statuses in my configuration files. Any help appreciated.

Anonymous’s picture

Anonymous (not verified) commented

But adding Allow from all has success. Is this advisable?

neural’s picture

neural commented

Same issue here.

I have this on my HTML output page source :

<link type="text/css" rel="stylesheet" media="all" href="/sites/default/files/css/403c6ce98b830b5a3234d37c390e05a6.css" />

shouldn't the path start with http://www.mysite.com instead of /sites on the rendered page?

I'm on Apache 2 / PHP 5 / Ubuntu-server.

Anonymous’s picture

Anonymous (not verified) commented

@neural: I'm not understanding your question.

The .htaccess we've discussed has a path of sites/*/files/.htaccess and not the one at the document root. Each directory can have its own .htaccess file. Adding Allow from all to sites/*/files/.htacess corrected the problem for me but there may be security risks I'm not aware of.

neural’s picture

neural commented

Sorry I had forgotten to add the code tags, you can now read the comment again :).

I just notice that the url pointing to my aggregated/cached stylesheet isn't correct.

Anonymous’s picture

Anonymous (not verified) commented

The optimize option creates one file from the many Drupal CSS (each module could have one or more plus the theme CSS) and compresses it. The file is created in sites/*/files/css so the file location is correct. No, it should not be located at the web document root. It would mean that your document root would need to be write accessible and that is a security risk. Even if you didn't use the optimize option the CSS are not located at the document root.

/sites is found in the document root. The server should know what to do.

dpearcefl’s picture

dpearcefl commented
Status: Active » Postponed (maintainer needs more info)

Does this issue exist in current D6?

Anonymous’s picture

Anonymous (not verified) commented

I'll have to check it but give me a few weeks.

dpearcefl’s picture

dpearcefl commented
Status: Postponed (maintainer needs more info) » Active
Anonymous’s picture

Anonymous (not verified) commented
Status: Active » Closed (cannot reproduce)

I can't reproduce this now.