Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

prevent execution of scripts from files directory

5.x
Gerhard Killesreiter 2006-05-25 01:33:53 +00:00
parent 369c776c4c
commit be6b7b0f1d
2 changed files with 19 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
INSTALL.txt
View File

@ -144,6 +144,13 @@ INSTALLATION
by the Drupal server process. You can change the name of this
subdirectory at "Administer > Settings > File system settings".
SECURITY NOTICE: Certain Apache configurations can be vulnerable
to a security exploit allowing arbitrary code execution. Drupal
will attempt to automatically create a .htaccess file in your
"files" directory to protect you. If you already have a .htaccess
file in that location, please add the following line:
SetHandler This_is_a_Drupal_security_line_do_not_remove
You can now launch your browser and point it to your Drupal site.
Create an account and login. The first account will automatically

12
includes/file.inc
View File

@ -112,6 +112,18 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
}
}
if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, 'SetHandler This_is_a_Drupal_security_line_do_not_remove')) {
fclose($fp);
}
else {
$message = t("Security warning: Couldn't write .htaccess. Please create a .htaccess file in your %directory directory which contains the following line: <code>SetHandler This_is_a_Drupal_security_line_do_not_remove</code>", array('%directory' => $directory));
form_set_error($form_item, $message);
watchdog('file system', $message, WATCHDOG_ERROR);
}
}
return true;
}