? drupal-protect-txt-files-79018-16.patch
? drupal-protect-txt-files-79018-19.patch
? sites/default/files
? sites/default/settings.php
Index: .htaccess
===================================================================
RCS file: /cvs/drupal/drupal/.htaccess,v
retrieving revision 1.90
diff -u -p -r1.90 .htaccess
--- .htaccess	5 Oct 2007 14:43:23 -0000	1.90
+++ .htaccess	25 Jan 2008 03:25:29 -0000
@@ -3,7 +3,7 @@
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
+<FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$|^(CHANGELOG|COPYRIGHT|INSTALL.*|LICENSE|MAINTAINERS|README|UPGRADE).txt$">
   Order allow,deny
 </FilesMatch>
 
Index: includes/file.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/file.inc,v
retrieving revision 1.118
diff -u -p -r1.118 file.inc
--- includes/file.inc	9 Jan 2008 10:39:48 -0000	1.118
+++ includes/file.inc	25 Jan 2008 03:25:29 -0000
@@ -125,7 +125,15 @@ function file_check_directory(&$director
   }
 
   if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
-    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
+    $htaccess_lines  = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\n";
+    $htaccess_lines .= "Options None\n";
+    $htaccess_lines .= "Options +FollowSymLinks\n";
+    $htaccess_lines .= "<FilesMatch \".+\">\n";
+    $htaccess_lines .= "  allow from all\n";
+    $htaccess_lines .= "</FilesMatch>\n";
+    $htaccess_lines .= "<Files .htaccess>\n";
+    $htaccess_lines .= "  deny from all\n";
+    $htaccess_lines .= "</Files>\n";
     if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, $htaccess_lines)) {
       fclose($fp);
       chmod($directory .'/.htaccess', 0664);