Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #1599774 by longwave, ben.bunk, Rob C, stefan.r, David_Rothstein, BTMash, kristofferwiklund, marcingy, mpdonadio, DuneBL, serundeputy, Letharion, quicksketch, alexpott, J-Lee, Morbus Iff: Drupal fails to boot with 503 error and .htaccess protections do not work on Apache 2.4 without mod_access_compat

merge-requests/26/head
David Rothstein 2017-06-06 00:15:04 -04:00
parent 0528883b9e
commit ff27da6b35
3 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.htaccess
View File

@ -4,7 +4,12 @@
# Protect files and directories from prying eyes. # Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$"> <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
Order allow,deny <IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch> </FilesMatch>
# Don't show directory listings for URLs which map to a directory. # Don't show directory listings for URLs which map to a directory.

2
CHANGELOG.txt
View File

@ -7,6 +7,8 @@ Drupal 7.xx, xxxx-xx-xx (development version)
- Allowed services such as Let's Encrypt to work with Drupal on Apache, by - Allowed services such as Let's Encrypt to work with Drupal on Apache, by
making Drupal's .htaccess file allow access to the .well-known directory making Drupal's .htaccess file allow access to the .well-known directory
defined by RFC 5785. defined by RFC 5785.
- Made new Drupal sites work correctly on Apache 2.4 when the mod_access_compat
Apache module is disabled.
- Fixed Drupal's URL-generating functions to always encode '[' and ']' so that - Fixed Drupal's URL-generating functions to always encode '[' and ']' so that
the URLs will pass HTML5 validation. the URLs will pass HTML5 validation.
- Several bug fixes. - Several bug fixes.

13
includes/file.inc
View File

@ -535,7 +535,18 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
EOF; EOF;
if ($private) { if ($private) {
$lines = "Deny from all\n\n" . $lines; $lines = <<<EOF
# Deny all requests from Apache 2.4+.
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
# Deny all requests from Apache 2.0-2.2.
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
EOF
. "\n\n" . $lines;
} }
return $lines; return $lines;