From 757ce5148e167bf401e9532702869cf40fbb65e5 Mon Sep 17 00:00:00 2001 From: Greg Dunlap Date: Mon, 13 Feb 2012 18:11:17 -0500 Subject: [PATCH] Removed sig from global htaccess, create a new one in the config directory at install time which simply does a DenyFromAll, just like private files --- .htaccess | 2 +- core/includes/file.inc | 1 + core/includes/install.core.inc | 5 +++++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.htaccess b/.htaccess index 86a4669eaa..a69bdd4e8b 100644 --- a/.htaccess +++ b/.htaccess @@ -3,7 +3,7 @@ # # Protect files and directories from prying eyes. - + Order allow,deny diff --git a/core/includes/file.inc b/core/includes/file.inc index 05bf6c1b38..1fde2f4508 100644 --- a/core/includes/file.inc +++ b/core/includes/file.inc @@ -467,6 +467,7 @@ function file_ensure_htaccess() { file_save_htaccess('private://', TRUE); } file_save_htaccess('temporary://', TRUE); + file_save_htaccess(config_get_config_directory(), TRUE); } /** diff --git a/core/includes/install.core.inc b/core/includes/install.core.inc index b44f1540a7..5ba4aa52de 100644 --- a/core/includes/install.core.inc +++ b/core/includes/install.core.inc @@ -1011,6 +1011,11 @@ function install_settings_form_submit($form, &$form_state) { if (!file_prepare_directory($config_path, FILE_CREATE_DIRECTORY)) { // How best to handle errors here? }; + + // Write out a .htaccess file that will protect the config directory from + // prying eyes. + file_save_htaccess($config_path, TRUE); + // Indicate that the settings file has been verified, and check the database // for the last completed task, now that we have a valid connection. This // last step is important since we want to trigger an error if the new -- GitLab