Problem/Motivation
There’s not any consistency with when dots/periods are escaped in rewrite conditions/rules in the main .htaccess file.
Proposed resolution
Escape all dot/periods for consistency and clarity.
Release note snippet
Drupal's generated .htaccess
files now consistently escape dots (the .
character) in rewrite conditions and rules. (For example, statistics.php
has been corrected to statistics\.php
.) These changes make the rules slightly more strict (and therefore safer). Site owners should make a backup of customized .htaccess
files before updating, and may wish to also escape dots in their own custom rules where appropriate.
Comment | File | Size | Author |
---|---|---|---|
#9 | escape-htaccess-dots-2989262-9.patch | 3.51 KB | Daniel Korte |
Issue fork drupal-2989262
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
Daniel KorteComment #3
Daniel KorteComment #4
Daniel KorteComment #7
Kristen PolPatch applies cleanly to 9.1.x.
Comment #8
Kristen PolThanks for the issue and patch.
1) If I'm following the changes properly, it looks like the comparison part should be escaped and the path to go to should not which I think makes sense. Example:
2) Kicking off tests for 9.1.x.
Comment #9
Daniel KorteThanks @Kristen Pol
1) That's correct.
2) Should be fixed by the attached patch.
Comment #10
longwaveThanks for catching this. I agree that this should be fixed, the unescaped dot means "any character" which means we have some false positives here which, while unlikely to be triggered on most sites, might be tricky to debug if you did accidentally find them.
Comment #11
alexpottThis makes sense. Only commiting to 9.1.x because htaccess files are often customised so changing only in a minor release is nice for everyone. I can't work out any serious bugs or issued caused by this misconfiguration so that seems okay.
Committed 952c086 and pushed to 9.1.x. Thanks!
Comment #14
xjmChanges to these files always get a release notes mention.
Comment #15
xjmI drafted a release note. It should also link a change record explaining the change in more detail, because explaining escaped-dot-literal versus dot-regex-match is beyond the scope of the release notes, but someone might need an explanation. For now I'm going to add a link to the issue itself (which is a no-no generally), but let's add a change record so we can explain it properly when 9.1.0 itself comes out. Thanks!
Comment #18
xjmAdding credit for @quietone who added the change record. Thanks!
Comment #20
quietone CreditAttribution: quietone at PreviousNext commentedThis does have a CR, removing tag.