Issue #1599774 by longwave, kristofferwiklund, BTMash, marcingy | Letharion: .htaccess protections do not work on Apache 2.4 without mod_access_compat.

2014-03-29 16:28:16 +01:00 · 2014-03-29 16:28:16 +01:00 · 9e72c8bfaf
parent 719dfe1683
commit 9e72c8bfaf
3 changed files with 22 additions and 2 deletions
--- a/.htaccess
+++ b/.htaccess
@ -4,7 +4,12 @@

 # Protect files and directories from prying eyes.
 <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
-  Order allow,deny
+  <IfModule mod_authz_core.c>
+    Require all denied
+  </IfModule>
+  <IfModule !mod_authz_core.c>
+    Order allow,deny
+  </IfModule>
 </FilesMatch>

 # Don't show directory listings for URLs which map to a directory.
--- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php
+++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php
@ -97,7 +97,18 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 EOF;

    if ($private) {
-      $lines = "Deny from all\n\n" . $lines;
+      $lines = <<<EOF
+# Deny all requests from Apache 2.4+.
+<IfModule mod_authz_core.c>
+  Require all denied
+</IfModule>
+
+# Deny all requests from Apache 2.0-2.2.
+<IfModule !mod_authz_core.c>
+  Deny from all
+</IfModule>
+EOF
+      . $lines;
    }

    return $lines;
--- a/core/modules/system/lib/Drupal/system/Tests/File/HtaccessUnitTest.php
+++ b/core/modules/system/lib/Drupal/system/Tests/File/HtaccessUnitTest.php
@ -44,6 +44,8 @@ class HtaccessUnitTest extends DrupalUnitTestBase {
    $this->assertTrue(file_save_htaccess($public, FALSE));
    $content = file_get_contents($public . '/.htaccess');
    $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
+    $this->assertFalse(strpos($content, "Require all denied") !== FALSE);
+    $this->assertFalse(strpos($content, "Deny from all") !== FALSE);
    $this->assertTrue(strpos($content, "Options None") !== FALSE);
    $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
    $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
@ -56,6 +58,7 @@ class HtaccessUnitTest extends DrupalUnitTestBase {
    $this->assertTrue(file_save_htaccess($private));
    $content = file_get_contents($private . '/.htaccess');
    $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
+    $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
    $this->assertTrue(strpos($content, "Deny from all") !== FALSE);
    $this->assertTrue(strpos($content, "Options None") !== FALSE);
    $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
@ -69,6 +72,7 @@ class HtaccessUnitTest extends DrupalUnitTestBase {
    $this->assertTrue(file_save_htaccess($stream));
    $content = file_get_contents($stream . '/.htaccess');
    $this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
+    $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
    $this->assertTrue(strpos($content,"Deny from all") !== FALSE);
    $this->assertTrue(strpos($content,"Options None") !== FALSE);
    $this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE);