Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The .htaccess file should be updated to disallow access to the database files used by SQLite (*.db3 files).
Change line 6 of .htaccess from
<FilesMatch "\.(engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
to
<FilesMatch "\.(.*db3|engine|inc|info|install|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | drupal-block-files-htaccess-379150-7.patch | 1.3 KB | ethomas08 |
| #6 | drupal-block-files-htaccess-379150-6.patch | 791 bytes | ethomas08 |
| #5 | drupal-block-files-htaccess-379150-5.patch | 818 bytes | ethomas08 |
| #4 | drupal-block-files-htaccess-379150-4.patch | 1.45 KB | ethomas08 |
Comments
Comment #1
dave reidThere's really nothing to say that I can't create a .sqlite file or .db, so this approach really isn't going to work. For example, the PHP PDO SQLite docs have their example file named 'sq3'.
What we should do is recommend (or validate the db details form) to make sure that the users prefix the filename with '.ht' (ex. '.ht.sqlite') so that the file is hidden no matter it's extension.
See related:
#337993: No install instructions for SQLite
#346494: DB drivers need to be able to change the configure database form during install
Comment #2
wildtang3nt commentedWhichever is best then... I just don't want people to be guessing the name of the database and downloading it.
Comment #3
dave reidWe now have the SQLite instructions added to core, so I'm marking this as won't fix.
Comment #4
ethomas08 commentedUploading a patch that my team uses to block a lot of the drupal core files.
Comment #5
ethomas08 commentedPatch for ghdx.healthdata.org for drupal core 7.92 release
Comment #6
ethomas08 commentedPatch for healthdata.org for drupal core 7.92 release
Comment #7
ethomas08 commentedPatch for drupal core 7.103 release