hi,
i configured all things related to filebrowser page. all things uploaded the attachments and stuff go to the folder that the filebrowser displays as root. however, the problem is that, the .htaccess file appears aftersome time. i delete that and see after few hours. how can i get rid of gettin .htaccess file created, or even i should never touch that?
TiA

Comments

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Status: Active » Closed (works as designed)

If you use the Drupal upload module and you point filebrowser to the folder used by that feature, you should read the contents of the .htaccess file, and understand what is in there. You should not remove it.

ideviate’s picture

ideviate commented

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None

RewriteEngine off

this is the code in it. i dont want to change the configuration since it is now efficient.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented

Well, this says everything. Do not remove. It is there for security reasons.

ideviate’s picture

ideviate commented

http://www.universideliyiz.biz/filebrowser

this is my filebrowser link. whenever i want to open the file, my firewall program says "a recent attempt was blocked" . is it sth insecure to have it displayed by filebrowser? is it only me having an .htaccess file among filebrowser files.

dman’s picture

dman commented
Title: filebrowser and .htaccess file » prevent filebrowser from displaying .htaccess file
Category: support » feature
Status: Closed (works as designed) » Active

the .htaccess re-appears every time you do something (like upload) within the files directory - it protects you from an exploit where folk could upload executable or configuration code. The system will ALWAYS try to replace it if it's not already there.

Although it shows up on the listing, you can't access it because Apache (not Drupal) prevents anonymous web access to your configuration files.

So I see your problem. Oddly, I haven't noticed this on my system...

Best fix would simply be that .htaccess, or all ".files" are not listed. Filebrowser already hides CVS and similar ... Hm. Yep, my .htaccesses are visible too. Not nice.

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Status: Active » Fixed

I have added a fix to remove .htaccess from the displayed files list in the upcoming Drupal 5 update.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)
kvoltz’s picture

kvoltz commented

Hello,

is there a way to resolve this issue in D6?

I would like to hide the .htaccess file as well, but can't seem to find a way to do it.

kvoltz’s picture

kvoltz commented
Status: Closed (fixed) » Needs review
kvoltz’s picture

kvoltz commented
Status: Needs review » Closed (fixed)

My Mistake,
I found the solution. I simply needed to add .htaccess to the forbidden list.