After wrestling with my webhost for about 10 days, because ALL uploaded images could not appear on pages, including the logo and the host support fellows dismissing my complaints with some simplistic explanations (http://drupal.org/node/651738), they admitted after looking at the error log, that there's something on their servers that is responsible for this.
They said there's this "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006" entry which their server apparently does not support.
04.12.2009 23:46:43 sitename.de [client xx.xxx.xxx.xx] /home/strato/http/power/web3/50/59/526572059/htdocs/sites/default/files/.htaccess: SetHandler not allowed here, referer: http://www.sitename.de/category/image-galleries/rasta
If the first line in the .htaccess file is commented out, the host says, the error does not come & apparently, I can not only see the existing pictures, but could upload new ones. I also noticed, that some ajax functions(?) allowing dragging & dropping stuff, for example used to rearrange blocks which were missing before are available.
I have gone ahead to complete the site with these changes as the site owner is almost strangling me, because of the delay!
So my question is: is commenting out that first line in .htaccess file safe?
If not, what SAFE alternative is there?
I have seen some references to "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006" in many posts, but there is no authoritative sounding statement saying whether it is safe OR NOT making these changes.
My host support folks says they apparently dont allow that function on their and does not know why Drupal needs it.
Stato.de is one of the very biggest webhosts in Germany & they probably have some reason for disabling that function.
Regards
Comments
This is why that line was put there
http://drupal.org/files/sa-2006-006/advisory.txt
In other words, to stop malicious scripts being executed in the files directory (after being inadvertently uploaded, i presume). Now, if your server company can otherwise guarantee that that scripts can't be added to that directory, then perhaps you can remove that line.
It would be also nice if your hosting let us all know what exactly in their server configuration was using that line to stop upload of all files.
That information is also
That information is also available at SA 2006 006 - SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006.
--
Morris Animal Foundation
Get
Get a better host.
Weak security is a bug, not a feature.
Lionheart, It appears that I
Lionheart,
It appears that I have the same problem with this provider.
What did you do, finally, to solve this problem? (As you may notice: it is hard to convince the people at the hosting providers).
So, what is the solution to this problem?
This is how the problem was "solved"
Hi
My host www.strato.de always gets very good reviews in German internet & PC magazine reviews for reasons I dont quite understand. Their support sucks. A new problem that cropped up from no where on Sunday produces such ugly errors on all pages:
Apart from this, pictures in the image gallery (again) stopped showing & many links, including on some admin & settings pages stopped being active. I wrote them on Sunday & up to now Wednesday evening no response yet.
After doing some research here in the forum, I discovered such errors are caused when the HOST, since only they have access to this turn "safe_mode" => "On". Drupal requires this to be "Off".
I checked this out using a phpinfo() script & found that was the case. It seemed someone there turned it on sometime on Sunday.
I crosschecked this by downloading a backup of the site & installing it on a Xampp Web server on my PC. Every thing functions perfectly like the site was a day before.
The main problem with Strato.de is their support. Please keep away from this host if you want your Drupal site to run smoothly & especially if you have a production site. Apart from Email, the only way to contact them is using an expensive telephone number. They earn something from the charges.
Back to your problem Buzzard:
-----------------------------
After wrestling with these guys for about 2 weeks, one of them bothered to look at the error log & as it is noted there the problem is cased by some function called "SetHandler" being disabled on their servers. In all these years with Drupal & lots of hosts, I have never encountered any other that has this done this for security or other reasons. The gentleman suggested that if one uncommented the first line in the .htaccess file in \sites\default\files the errors stop showing.
instead of
Not only that, but the pictures in the galleries can not only be uploaded but are visible, which was not the case before.
When I pointed to possible security implications as suggested in that line & in a related article I found somewhere here at Drupal.org (not the forum) in some reference to the subject, he correctly suggested in that article, it is stated it affects versions 4.x of Drupal, whereas we now have 6.x.
I had no choice but to uncomment this, because my client wanted the site running at any cost especially after waiting for about 2 weeks to get a solution from my host & with reasons she could not relate to.
Unless there is an authoritative statement from Drupal.org on the importance of that piece of code for versions above 4.x, one cannot know the real implications of this. It would also be good if they uncommented that line if it only affected older versions of Drupal.
------------------------
My advice once again: keep away from www.strato.de if you want to use Drupal, in spite of them insisting in the features section it's optimized for Joomla & Drupal, because of
The first time it took about 11 days & countless email exchanges, chats (chat is often inactivated) & some telephone call. This time the fourth full day is approaching ....
Regards
Hey, I just wanted to throw
Hey, I just wanted to throw my two cents, Strato is the worst hosting company in Germany. They not only suck, they're also incompetent and the servers are very poorly configured. Run away from that company. 1&1 is also not much better.
If you want to get professional support, good configured modern servers in Germany, I can recommend Host Europe.
Old usernames: pc-wurm, Елин Й.
One possible solution
My provider One.com has the same problem. The suggestion was to remove the .htaccess file. Apparently Drupal detects if the file is missing and adds it :-)
So my solution was to comment out ALL 3 lines. It didn't work with just SetHandler ...
#SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
#Options None
#Options +FollowSymLinks
BTW. One.com requires Explorer for their file manager (yes, in the year 2010), the safe_mode is 'on' and there are at least one server setting (SetHandler) they do not support. You have been warned. Their online chat support was okay, although (only?) in English which is not my native language.
hassle
im currently at one.com too.
As i finihed a website it took between 5-30 seconds to load or sometimes after the 30sec a WSOD (white screen of death) appeared.
First I thought its from my modules, but its completely their fault.
And now i have to hassle around with this "do not remove but anyway remove it" situation.
The one and only solution for me is to move away from one.com.
The best part is that they offer a money back guarranty but the dont want to pay the money back for crappy hosting :D
Talking about one.com
Hi
I was helping run someone's site at one.com, which runs qute a number of modules. It kept getting memory-related problems because they only offer memory of 32M, including white screens etc, if u try to carry out some functions like updating some modules & running the update.php script.
Since the site was moved to hostmonster, which is much more flexible on this & allowing one to increase it, by adding a php.ini script in the root folder or other methods suggested in Drupal docs, those specific problems ceased!!
So one.com is only good if u probably just hace core modules 6 at more a few more.
AllowOverride apache directive problem
I fixed the problem adding:
AllowOverride FileInfo Options
in the apache config file.
My solution
Apache configuration solution
To allow Sethandler, according to Apache documentation you use "AllowOverrideList" to fine tune the allowed options for the file directory. The system administrator of a LiveConfig based hosting service can override default configuration as follows.