From dc736e72170499334c2260b87b4d757350a68abd Mon Sep 17 00:00:00 2001
From: Nathaniel Catchpole <catch@35733.no-reply.drupal.org>
Date: Mon, 9 Nov 2015 18:22:09 +0000
Subject: [PATCH] Issue #1269780 by hswong3i, damien_vancouver, Agileware,
 ricardoamaro, alexpott, axel.rutz, yannickoo: Remove symlinks option from
 .htaccess

---
 .htaccess                                               | 3 ---
 core/lib/Drupal/Component/PhpStorage/FileStorage.php    | 3 +--
 core/modules/system/src/Tests/File/HtaccessUnitTest.php | 9 +++------
 vendor/.htaccess                                        | 3 +--
 4 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/.htaccess b/.htaccess
index b26c63bb57e2..01c63af981f7 100644
--- a/.htaccess
+++ b/.htaccess
@@ -15,9 +15,6 @@
 # Don't show directory listings for URLs which map to a directory.
 Options -Indexes
 
-# Follow symbolic links in this directory.
-Options +FollowSymLinks
-
 # Set the default handler.
 DirectoryIndex index.php index.html index.htm
 
diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
index e4e7fde44f23..b6a2a9dc246f 100644
--- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php
+++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
@@ -79,8 +79,7 @@ public function save($name, $code) {
   public static function htaccessLines($private = TRUE) {
     $lines = <<<EOF
 # Turn off all options we don't need.
-Options None
-Options +FollowSymLinks
+Options -Indexes -ExecCGI -Includes -MultiViews
 
 # Set the catch-all handler to prevent scripts from being executed.
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
diff --git a/core/modules/system/src/Tests/File/HtaccessUnitTest.php b/core/modules/system/src/Tests/File/HtaccessUnitTest.php
index c8599b3af0c9..9f5273c25814 100644
--- a/core/modules/system/src/Tests/File/HtaccessUnitTest.php
+++ b/core/modules/system/src/Tests/File/HtaccessUnitTest.php
@@ -40,8 +40,7 @@ function testHtaccessSave() {
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
     $this->assertFalse(strpos($content, "Require all denied") !== FALSE);
     $this->assertFalse(strpos($content, "Deny from all") !== FALSE);
-    $this->assertTrue(strpos($content, "Options None") !== FALSE);
-    $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
+    $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
     $this->assertFilePermissions($public . '/.htaccess', 0444);
 
@@ -54,8 +53,7 @@ function testHtaccessSave() {
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
     $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
     $this->assertTrue(strpos($content, "Deny from all") !== FALSE);
-    $this->assertTrue(strpos($content, "Options None") !== FALSE);
-    $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
+    $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
     $this->assertFilePermissions($private . '/.htaccess', 0444);
 
@@ -68,8 +66,7 @@ function testHtaccessSave() {
     $this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
     $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
     $this->assertTrue(strpos($content,"Deny from all") !== FALSE);
-    $this->assertTrue(strpos($content,"Options None") !== FALSE);
-    $this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE);
+    $this->assertTrue(strpos($content,"Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
     $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
     $this->assertFilePermissions($stream . '/.htaccess', 0444);
 
diff --git a/vendor/.htaccess b/vendor/.htaccess
index 50d210b11ef4..90748bbc9309 100644
--- a/vendor/.htaccess
+++ b/vendor/.htaccess
@@ -8,8 +8,7 @@
   Deny from all
 </IfModule>
 # Turn off all options we don't need.
-Options None
-Options +FollowSymLinks
+Options -Indexes -ExecCGI -Includes -MultiViews
 
 # Set the catch-all handler to prevent scripts from being executed.
 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
-- 
GitLab