Skip to content
Snippets Groups Projects
Commit 6dd4c35e authored by Gerhard Killesreiter's avatar Gerhard Killesreiter
Browse files

prevent execution of scripts from files directory

parent e122b009
No related branches found
No related tags found
No related merge requests found
......@@ -144,6 +144,13 @@ INSTALLATION
by the Drupal server process. You can change the name of this
subdirectory at "Administer > Settings > File system settings".
SECURITY NOTICE: Certain Apache configurations can be vulnerable
to a security exploit allowing arbitrary code execution. Drupal
will attempt to automatically create a .htaccess file in your
"files" directory to protect you. If you already have a .htaccess
file in that location, please add the following line:
SetHandler This_is_a_Drupal_security_line_do_not_remove
You can now launch your browser and point it to your Drupal site.
Create an account and login. The first account will automatically
......
......@@ -112,6 +112,18 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
}
}
if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, 'SetHandler This_is_a_Drupal_security_line_do_not_remove')) {
fclose($fp);
}
else {
$message = t("Security warning: Couldn't write .htaccess. Please create a .htaccess file in your %directory directory which contains the following line: <code>SetHandler This_is_a_Drupal_security_line_do_not_remove</code>", array('%directory' => $directory));
form_set_error($form_item, $message);
watchdog('file system', $message, WATCHDOG_ERROR);
}
}
return true;
}
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment