Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #1269780 by hswong3i, damien_vancouver, Agileware, ricardoamaro, alexpott, axel.rutz, yannickoo: Remove symlinks option from .htaccess

8.0.x
Nathaniel Catchpole 2015-11-09 18:22:09 +00:00
parent 2358408c67
commit dc736e7217
4 changed files with 5 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.htaccess
View File

@ -15,9 +15,6 @@
# Don't show directory listings for URLs which map to a directory. # Don't show directory listings for URLs which map to a directory.
Options -Indexes Options -Indexes
# Follow symbolic links in this directory.
Options +FollowSymLinks
# Set the default handler. # Set the default handler.
DirectoryIndex index.php index.html index.htm DirectoryIndex index.php index.html index.htm

3
core/lib/Drupal/Component/PhpStorage/FileStorage.php
View File

@ -79,8 +79,7 @@ class FileStorage implements PhpStorageInterface {
public static function htaccessLines($private = TRUE) { public static function htaccessLines($private = TRUE) {
$lines = <<<EOF $lines = <<<EOF
# Turn off all options we don't need. # Turn off all options we don't need.
Options None Options -Indexes -ExecCGI -Includes -MultiViews
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed. # Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

9
core/modules/system/src/Tests/File/HtaccessUnitTest.php
View File

@ -40,8 +40,7 @@ class HtaccessUnitTest extends KernelTestBase {
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
$this->assertFalse(strpos($content, "Require all denied") !== FALSE); $this->assertFalse(strpos($content, "Require all denied") !== FALSE);
$this->assertFalse(strpos($content, "Deny from all") !== FALSE); $this->assertFalse(strpos($content, "Deny from all") !== FALSE);
$this->assertTrue(strpos($content, "Options None") !== FALSE); $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
$this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
$this->assertFilePermissions($public . '/.htaccess', 0444); $this->assertFilePermissions($public . '/.htaccess', 0444);
@ -54,8 +53,7 @@ class HtaccessUnitTest extends KernelTestBase {
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
$this->assertTrue(strpos($content, "Require all denied") !== FALSE); $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
$this->assertTrue(strpos($content, "Deny from all") !== FALSE); $this->assertTrue(strpos($content, "Deny from all") !== FALSE);
$this->assertTrue(strpos($content, "Options None") !== FALSE); $this->assertTrue(strpos($content, "Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
$this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
$this->assertFilePermissions($private . '/.htaccess', 0444); $this->assertFilePermissions($private . '/.htaccess', 0444);
@ -68,8 +66,7 @@ class HtaccessUnitTest extends KernelTestBase {
$this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE); $this->assertTrue(strpos($content,"SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006") !== FALSE);
$this->assertTrue(strpos($content, "Require all denied") !== FALSE); $this->assertTrue(strpos($content, "Require all denied") !== FALSE);
$this->assertTrue(strpos($content,"Deny from all") !== FALSE); $this->assertTrue(strpos($content,"Deny from all") !== FALSE);
$this->assertTrue(strpos($content,"Options None") !== FALSE); $this->assertTrue(strpos($content,"Options -Indexes -ExecCGI -Includes -MultiViews") !== FALSE);
$this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE);
$this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE);
$this->assertFilePermissions($stream . '/.htaccess', 0444); $this->assertFilePermissions($stream . '/.htaccess', 0444);

3
vendor/.htaccess vendored
View File

@ -8,8 +8,7 @@
Deny from all Deny from all
</IfModule> </IfModule>
# Turn off all options we don't need. # Turn off all options we don't need.
Options None Options -Indexes -ExecCGI -Includes -MultiViews
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed. # Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006