From ff27da6b35d70cfd601994394fab378ff1df3efb Mon Sep 17 00:00:00 2001 From: David Rothstein Date: Tue, 6 Jun 2017 00:15:04 -0400 Subject: [PATCH] Issue #1599774 by longwave, ben.bunk, Rob C, stefan.r, David_Rothstein, BTMash, kristofferwiklund, marcingy, mpdonadio, DuneBL, serundeputy, Letharion, quicksketch, alexpott, J-Lee, Morbus Iff: Drupal fails to boot with 503 error and .htaccess protections do not work on Apache 2.4 without mod_access_compat --- .htaccess | 7 ++++++- CHANGELOG.txt | 2 ++ includes/file.inc | 13 ++++++++++++- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.htaccess b/.htaccess index 3d6c2dd4418..37fce10d32a 100644 --- a/.htaccess +++ b/.htaccess @@ -4,7 +4,12 @@ # Protect files and directories from prying eyes. - Order allow,deny + + Require all denied + + + Order allow,deny + # Don't show directory listings for URLs which map to a directory. diff --git a/CHANGELOG.txt b/CHANGELOG.txt index a5d591c0ebe..559c98b8d8f 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -7,6 +7,8 @@ Drupal 7.xx, xxxx-xx-xx (development version) - Allowed services such as Let's Encrypt to work with Drupal on Apache, by making Drupal's .htaccess file allow access to the .well-known directory defined by RFC 5785. +- Made new Drupal sites work correctly on Apache 2.4 when the mod_access_compat + Apache module is disabled. - Fixed Drupal's URL-generating functions to always encode '[' and ']' so that the URLs will pass HTML5 validation. - Several bug fixes. diff --git a/includes/file.inc b/includes/file.inc index 7157ea90164..6a580c3ef86 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -535,7 +535,18 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 EOF; if ($private) { - $lines = "Deny from all\n\n" . $lines; + $lines = << + Require all denied + + +# Deny all requests from Apache 2.0-2.2. + + Deny from all + +EOF + . "\n\n" . $lines; } return $lines;