I've got a problem with my host. The default .htaccess file doesn't work on my webspace so I commented everything out and reactivated each command one at a time. This helped because it narrowed the problem to the following areas.


#Options -Indexes
#Options +FollowSymLinks
#<IfModule mod_php4.c>
#  php_value magic_quotes_gpc                0
#  php_value register_globals                0
#  php_value session.auto_start              0
#</IfModule>

(The second chunk of commented out stuff is for my version of Apache.)

When these are commented out, Drupal appears to work. Mostly.

So here are my 3 questions:

1) Will Drupal be fully functional with these lines commented out?
2) If not, is there a workaround?
3) What are the security implications that my host is trying to protect by disallowing these commands?

Comments

jbrauer’s picture

None of these should be a big deal. Your provider has limited the directives you're allowed to override. You might ask if they will allow them but it is not a big deal.

Chances are if you create a php file (test.php) and put phpinfo (); in the file you'll see that your host already has magic quotes, register globals and session auto start turned off. (If not you might want a different host.)

More information on phpinfo.

------------------
Adding Understanding

--

honeybug’s picture

Thanks for your reply, Josh.

I had done a phpinfo.php already but, to be honest, wasn't sure what I was looking for. So I did it again...

The results?

magic_quotes_gpc = On
magic_quotes_runtime = Off
magic_quotes_sybase = Off
register_globals = On
session.auto_start = Off

Great.

What the hell does that mean? :D

jbrauer’s picture

There's a pretty good (IMHO) summary in this article on common security blunders in PHP. Magic Quotes and Session Auto Start aren't a huge issue one way or the other (as long as you know how they're set and the scripts you work with are written to accommodate it).

Register Globals is the main concern. Not in Drupal as it checks input pretty well and has a good security model. With less developed scripts register globals is a concern because you can replace data in cookies for example by putting an argument (?cookie="reallybadstuff") in the URL you call a script with. If it is not properly checking for the source of the input it might believe you and do bad things. If you're running drupal it shouldn't be a big problem, but the concern would be are there any other PHP scripts running on your (shared) host that would allow somebody to get to your code/database.

------------------
Adding Understanding

--

honeybug’s picture

So, bearing in mind my host's php settings, Drupal should work and be secure with those lines in the .htaccess file commented out, then?

If not, I'll have to look for another cms solution.

jbrauer’s picture

It should work. The insecurity inherent in the setup will not be diminished by a different CMS and may be increased if it is not coded as well.

---------------------------
Adding Understanding

--

honeybug’s picture

Thanks for your help, Josh.