Modify "Order deny,allow" to Order "allow,deny" [#93865]

In security a common (and good) approach is to deny all access to a resource and specify what can access it specifically. Often this is done the other way around; allowing access to everything and specifyng what is not allowed.

As described in http://drupal.org/node/93843 I am suggesting to change the following in .htaccess:

# Protect files and directories from prying eyes.
<FilesMatch "...">
  Order deny,allow
  Deny from all
</FilesMatch>

# Protect files and directories from prying eyes.
<FilesMatch "...">
  Order allow,deny
</FilesMatch>

Because the latter is the correct implementation of "Default = Deny, Allow what is set" and is thus technically 'more correct'.

Comment	File	Size	Author
	htaccess_10.patch	452 bytes	Jax

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Morbus Iff

they/them

CreditAttribution: Morbus Iff commented 10 November 2006 at 13:40

You know, I was thinking about this again this morning, and I think our /existing/ implementation is /more secure/ than this suggested patch. Consider a badly configured Apache that has document roots set for "Allow from all" - this would override this suggested patch, and give everyone access to our FilesMatch. Likewise, there's no "Allow from none" we can put in here to stop that from happening. With that consideration said, I think it's safer to remain with what we have, even though it is a default whitelisting, then a global blacklist.

Comment #2

Morbus Iff

they/them

CreditAttribution: Morbus Iff commented 10 November 2006 at 13:41

I think we should probably patch a comment into the .htaccess with the reason why we're doing this "wrong", quote unquote - to protect from upstream bad configurations (like the "Allow from all" I just mentioned).

Comment #3

Jax CreditAttribution: Jax commented 10 November 2006 at 15:29

Actually it seems an Order statement voids all previous Allow/Deny statements.

olivier@tornado:~/public_html/tmp/down$ ls -al
total 9
-rw-r--r--    1 olivier  tech           17 Nov 10 16:25 .htaccess
-rw-r--r--    1 olivier  tech            6 Nov 10 16:25 index.php
olivier@tornado:~/public_html/tmp/down$ ls -al ..
total 731
-rw-r--r--    1 olivier  tech           32 Nov 10 16:26 .htaccess
drwxr-xr-x    2 olivier  tech          112 Nov 10 16:26 down/
olivier@tornado:~/public_html/tmp/down$ cat .htaccess
Order Allow,Deny
olivier@tornado:~/public_html/tmp/down$ cat ../.htaccess
Order Deny,Allow
Allow From All

When I go to the index.php file in down it gives a forbidden. I'll start looking for documentation about this.

Comment #4

Jax CreditAttribution: Jax commented 10 November 2006 at 15:34

Actually the section you quoted in the forum topic is relevant here. If the "Allow from" statements were not voided from a new Order you should contact apache2.org to update their documentation to include your warning.

Comment #5

Morbus Iff

they/them

CreditAttribution: Morbus Iff commented 10 November 2006 at 15:48

I'd want you to test a few more scenarios:

1) Make /.htaccess "Order Allow,Deny\nAllow from all"
2) Make /.htaccess simply "Allow from all".
3) Make [Directory /path/to/your/down/directory]\nOrder Allow,Deny\nAllow from all[/Directory] in your httpd.conf

Comment #6

Jax CreditAttribution: Jax commented 10 November 2006 at 16:32

With

# cat /.htaccess
Order Allow,Deny
Allow from All

# cat .htaccess
<FilesMatch "\.php">
  Order Allow,Deny
</FilesMatch>

I get a forbidden on the index.php

With:

# cat /.htaccess
Allow from All

I still get a forbidden.

With:

<Directory /home/*/public_html>
    AllowOverride All
    Order Allow,Deny
    Allow From All
</Directory>

(I restarted the webserver after the modification) and no /.htaccess It still gives forbidden.

Comment #7

Morbus Iff

they/them

CreditAttribution: Morbus Iff commented 10 November 2006 at 16:40

Can you modify the third, the one in httpd.conf, to point /directly/ to your /down/ directory, as I demo'd?

Comment #8

Jax CreditAttribution: Jax commented 13 November 2006 at 13:40

With:

<Directory /home/olivier/public_html/tmp/down>
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

And no .htaccess in "/home/olivier/public_html/tmp/down" I can get to the index.php but when I activate the .htaccess in down:

<FilesMatch "\.php">
  Order Allow,Deny
</FilesMatch>

I get a forbidden as intended.

Comment #9

Morbus Iff

they/them

CreditAttribution: Morbus Iff commented 13 November 2006 at 16:55

In which case, I'm fine with the patch, though could care little if it actually gets in. To some degree, even though the other one is "wrong" in the sense of blacklisting/whitelisting, I feel it's also more obvious at an initial glance (the "Deny from all", being explicit, is telling, compared to just "Order allow,deny", which innocently seems to suggest we allow everything first).

Comment #10

drumm

he/him

NY, US

CreditAttribution: drumm commented 29 November 2006 at 06:16

Status:

Needs review

» Fixed

Committed to HEAD.

Comment #11

(not verified) CreditAttribution: commented 13 December 2006 at 06:30

Status:

Fixed

» Closed (fixed)

Comment #12

Senpai CreditAttribution: Senpai commented 14 February 2007 at 07:09

Version:	5.0-beta1	» 5.1
Status:	Closed (fixed)	» Reviewed & tested by the community

Just a quick follow-up to ask if one of you would roll that .htaccess "innocent comment" into HEAD. You know, the one that says, "The 'Order allow,deny' blocks access to all the files listed, even though it appears at first glance to leave the barn door open."

I was upgrading sites from 4.7.6 to 5.1 today, and, while comparing my old htaccess to the new one, noticed this change and became alarmed. A little tiny note, even half as long as what I've written above, would soothe some nerves among those who don't use a stock htaccess file and thus can't simply replace their old one with your new version.

"Order allow,deny is the correct way of keeping intruders away from precious files." There. that'd do it.
--
Senpai