From c432569e148cd96f64e99a20f9ff95715d3bb550 Mon Sep 17 00:00:00 2001
From: Wong Hoi Sing Edison <hswong3i@gmail.com>
Date: Sat, 22 Dec 2012 22:07:30 +0800
Subject: [PATCH] Issue #1269780 by AFowle, hswong3i: Use
 +SymLinksIfOwnerMatch instead of +FollowSymLinks option in
 .htaccess - Security.

---
 .htaccess                          |    2 +-
 includes/file.inc                  |    4 ++--
 modules/simpletest/tests/file.test |    2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.htaccess b/.htaccess
index 5ca1b08..fbe7f78 100644
--- a/.htaccess
+++ b/.htaccess
@@ -11,7 +11,7 @@
 Options -Indexes
 
 # Follow symbolic links in this directory.
-Options +FollowSymLinks
+Options +SymLinksIfOwnerMatch
 
 # Make Drupal handle any 404 errors.
 ErrorDocument 404 /index.php
diff --git a/includes/file.inc b/includes/file.inc
index 278be3d..df1c0fc 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -491,11 +491,11 @@ function file_create_htaccess($directory, $private = TRUE) {
 
   if ($private) {
     // Private .htaccess file.
-    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +FollowSymLinks";
+    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +SymLinksIfOwnerMatch";
   }
   else {
     // Public .htaccess file.
-    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
+    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +SymLinksIfOwnerMatch";
   }
 
   // Write the .htaccess file.
diff --git a/modules/simpletest/tests/file.test b/modules/simpletest/tests/file.test
index 3df31ba..d8bfc3d 100644
--- a/modules/simpletest/tests/file.test
+++ b/modules/simpletest/tests/file.test
@@ -952,7 +952,7 @@ class FileDirectoryTest extends FileTestCase {
     $this->assertTrue(is_file(file_default_scheme() . '://.htaccess'), t('Successfully re-created the .htaccess file in the files directory.'), 'File');
     // Verify contents of .htaccess file.
     $file = file_get_contents(file_default_scheme() . '://.htaccess');
-    $this->assertEqual($file, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks", t('The .htaccess file contains the proper content.'), 'File');
+    $this->assertEqual($file, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +SymLinksIfOwnerMatch", t('The .htaccess file contains the proper content.'), 'File');
   }
 
   /**
-- 
1.7.9.5