From 58718e3de501d88fc1d76852f31cb58433ec650e Mon Sep 17 00:00:00 2001 From: Axel Rutz Date: Tue, 3 Nov 2015 02:41:59 +0100 Subject: [PATCH] Issue #1269780 by hswong3i, damien_vancouver, Agileware, ricardoamaro, yannickoo, axel.rutz: Use +SymLinksIfOwnerMatch instead of +FollowSymLinks option in .htaccess --- .htaccess | 24 ++++++++++++++++++++-- .../Drupal/Component/PhpStorage/FileStorage.php | 23 ++++++++++++++++++++- .../system/src/Tests/File/HtaccessUnitTest.php | 6 +++--- vendor/.htaccess | 2 +- 4 files changed, 48 insertions(+), 7 deletions(-) diff --git a/.htaccess b/.htaccess index b26c63b..19c0697 100644 --- a/.htaccess +++ b/.htaccess @@ -15,8 +15,28 @@ # Don't show directory listings for URLs which map to a directory. Options -Indexes -# Follow symbolic links in this directory. -Options +FollowSymLinks +# There are two options available for following symbolic links, +# SymLinksIfOwnerMatch and FollowSymLinks. +# +# Options +SymLinksIfOwnerMatch is the default and will only follow symbolic +# links for which the target file or directory is owned by the same user ID as +# the link. On some shared hosting environments, this is the only allowed +# option, since it prevents users from trying to access private files belonging +# to other users on the system. However, there is a performance cost for +# checking the owner of each link. See the Apache documentation on this subject +# for a recommended configuration: +# http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks +Options +SymLinksIfOwnerMatch + +# Options +FollowSymLinks will follow all symbolic links regardless of owner. +# Use this option instead if you need to link to files owned by another user, +# or if you are on a private server and are tuning for maximum performance. +# As mentioned above, some shared hosting environments do not allow +# FollowSymLinks, so attempting to enable it in those environments may cause +# all site pages to return a HTTP 500 error. To enable FollowSymLinks, +# uncomment the following line (and comment out the SymLinksIfOwnerMatch line +# above): +# Options +FollowSymLinks # Set the default handler. DirectoryIndex index.php index.html index.htm diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php index e4e7fde..2ffd839 100644 --- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php +++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php @@ -80,7 +80,28 @@ public static function htaccessLines($private = TRUE) { $lines = <<assertFalse(strpos($content, "Require all denied") !== FALSE); $this->assertFalse(strpos($content, "Deny from all") !== FALSE); $this->assertTrue(strpos($content, "Options None") !== FALSE); - $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE); + $this->assertTrue(strpos($content, "Options +SymLinksIfOwnerMatch") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertFilePermissions($public . '/.htaccess', 0444); @@ -55,7 +55,7 @@ function testHtaccessSave() { $this->assertTrue(strpos($content, "Require all denied") !== FALSE); $this->assertTrue(strpos($content, "Deny from all") !== FALSE); $this->assertTrue(strpos($content, "Options None") !== FALSE); - $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE); + $this->assertTrue(strpos($content, "Options +SymLinksIfOwnerMatch") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertFilePermissions($private . '/.htaccess', 0444); @@ -69,7 +69,7 @@ function testHtaccessSave() { $this->assertTrue(strpos($content, "Require all denied") !== FALSE); $this->assertTrue(strpos($content,"Deny from all") !== FALSE); $this->assertTrue(strpos($content,"Options None") !== FALSE); - $this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE); + $this->assertTrue(strpos($content,"Options +SymLinksIfOwnerMatch") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertFilePermissions($stream . '/.htaccess', 0444); diff --git a/vendor/.htaccess b/vendor/.htaccess index 50d210b..db43336 100644 --- a/vendor/.htaccess +++ b/vendor/.htaccess @@ -9,7 +9,7 @@ # Turn off all options we don't need. Options None -Options +FollowSymLinks +Options +SymLinksIfOwnerMatch # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 -- 2.1.4