From 9e72c8bfafc638b7717b0fd0c29b37f0a9f7955b Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Sat, 29 Mar 2014 16:28:16 +0100
Subject: [PATCH] Issue #1599774 by longwave, kristofferwiklund, BTMash,
marcingy | Letharion: .htaccess protections do not work on Apache 2.4 without
mod_access_compat.
---
.htaccess | 7 ++++++-
.../lib/Drupal/Component/PhpStorage/FileStorage.php | 13 ++++++++++++-
.../Drupal/system/Tests/File/HtaccessUnitTest.php | 4 ++++
3 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/.htaccess b/.htaccess
index c0f14582b368..3642f88858d1 100644
--- a/.htaccess
+++ b/.htaccess
@@ -4,7 +4,12 @@
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
- Order allow,deny
+ <IfModule mod_authz_core.c>
+ Require all denied
+ </IfModule>
+ <IfModule !mod_authz_core.c>
+ Order allow,deny
+ </IfModule>
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
index 67399ab8831a..33604f1b20be 100644
--- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php
+++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
@@ -97,7 +97,18 @@ public static function htaccessLines($private = TRUE) {
EOF;
if ($private) {
- $lines = "Deny from all\n\n" . $lines;
+ $lines = <<<EOF
+# Deny all requests from Apache 2.4+.
+<IfModule mod_authz_core.c>
+ Require all denied
+</IfModule>
+
+# Deny all requests from Apache 2.0-2.2.
+<IfModule !mod_authz_core.c>
+ Deny from all
+</IfModule>
+EOF
+ . $lines;
}
return $lines;
diff --git a/core/modules/system/lib/Drupal/system/Tests/File/HtaccessUnitTest.php b/core/modules/system/lib/Drupal/system/Tests/File/HtaccessUnitTest.php
index 4bc7f92a2895..66438b766e62 100644
--- a/core/modules/system/lib/Drupal/system/Tests/File/HtaccessUnitTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/File/HtaccessUnitTest.php
@@ -44,6 +44,8 @@ function testHtaccessSave() {
$this->assertTrue(file_save_htaccess($public, FALSE));
$content = file_get_contents($public . '/.htaccess');
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
+ $this->assertFalse(strpos($content, "Require all denied") !== FALSE);
+ $this->assertFalse(strpos($content, "Deny from all") !== FALSE);
$this->assertTrue(strpos($content, "Options None") !== FALSE);
$this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
@@ -56,6 +58,7 @@ function testHtaccessSave() {
$this->assertTrue(file_save_htaccess($private));
$content = file_get_contents($private . '/.htaccess');
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
+ $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
$this->assertTrue(strpos($content, "Deny from all") !== FALSE);
$this->assertTrue(strpos($content, "Options None") !== FALSE);
$this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
@@ -69,6 +72,7 @@ function testHtaccessSave() {
$this->assertTrue(file_save_htaccess($stream));
$content = file_get_contents($stream . '/.htaccess');
$this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
+ $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
$this->assertTrue(strpos($content,"Deny from all") !== FALSE);
$this->assertTrue(strpos($content,"Options None") !== FALSE);
$this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE);
--
GitLab