Aegir needs a new release to match SA-CORE-2013-003

Why do we actually need to hack the files/.htaccess file? It's not actually used or deployed by Aegir in the first place, is it?

Yeah, core should be smarter than that. It again ignores also the fact than Nginx doesn't use .htaccess, like in Aegir in general, so we have hacked that stupid core like this:

  // Test the web server identity.
  if (isset($_SERVER['SERVER_SOFTWARE']) && preg_match("/Nginx/i", $_SERVER['SERVER_SOFTWARE'])) {
    // Skip this on BOA and Nginx since .htaccess is never used in Nginx.
    $is_nginx = TRUE;
  }
  elseif (!isset($_SERVER['SERVER_SOFTWARE'])) {
    // Skip this in Aegir backend where SERVER_SOFTWARE is not set, since .htaccess is never used in Nginx.
    $is_nginx = TRUE;
  }
  else {
    $is_nginx = FALSE;
  }

  // Test the contents of the .htaccess files.
  if ($phase == 'runtime' && !$is_nginx) {

They should really improve this and simply skip this warning if there is non-Apache server discovered, at least. I'm going to submit a patch for core, I think.

Yeah, good idea. Better than trying every webserver out there, core should actually make an AJAX request to see if the files directory is accessible directly, instead of second-guessing...

Please do refer to the core issue when/if you create it!

Turns out there was already such issue in the core queue, so I have submitted patches for D6, D7 and D8 there: #1559116: Make core aware of Nginx and PHP-FPM to avoid confusing alerts

Of course it still doesn't help when Apache is used, but with .htaccess support disabled, like it is in Aegir by default. Should be a separate issue in core, I guess.

Yep, running real test (like backup_migrate does) instead of just web server identity checks (like: what if Nginx is masked as Apache to satisfy Drupal core assumptions related to upload progress support?) would be much better in this case.

patches applied.