diff --git a/.htaccess b/.htaccess index af418c4..b4491e7 100644 --- a/.htaccess +++ b/.htaccess @@ -15,8 +15,24 @@ # Don't show directory listings for URLs which map to a directory. Options -Indexes -# Follow symbolic links in this directory. -Options +FollowSymLinks +# There are two options available for following symbolic links, +# SymLinksIfOwnerMatch and FollowSymLinks. +# +# Options +SymLinksIfOwnerMatch is the default and will only follow symbolic +# links for which the target file or directory is owned by the same user id +# as the link. This check provides important security on shared servers, and +# without it users may be able to access private files belonging to other users. +# However, there is a performance cost for checking the security of each link. +# See the Apache Documentation on this subject for a recommended configuration: +# http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks +Options +SymLinksIfOwnerMatch + +# Options +FollowSymLinks will follow all symbolic links regardless of owner. +# Use this option instead if you need to link to files owned by another user, +# or if you are on a private server and are tuning for maximum performance. +# Some web hosts do not allow FollowSymLinks and enabling the following line +# may cause all site pages to return a HTTP 500 Error. +#Options +FollowSymLinks # Make Drupal handle any 404 errors. ErrorDocument 404 /index.php diff --git a/core/lib/Drupal/Component/PhpStorage/FileStorage.php b/core/lib/Drupal/Component/PhpStorage/FileStorage.php index 2ed6d6b..87fb727 100644 --- a/core/lib/Drupal/Component/PhpStorage/FileStorage.php +++ b/core/lib/Drupal/Component/PhpStorage/FileStorage.php @@ -80,7 +80,25 @@ public static function htaccessLines($private = TRUE) { $lines = <<assertFalse(strpos($content, "Require all denied") !== FALSE); $this->assertFalse(strpos($content, "Deny from all") !== FALSE); $this->assertTrue(strpos($content, "Options None") !== FALSE); - $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE); + $this->assertTrue(strpos($content, "Options +SymLinksIfOwnerMatch") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertFilePermissions($public . '/.htaccess', 0444); @@ -55,7 +55,7 @@ function testHtaccessSave() { $this->assertTrue(strpos($content, "Require all denied") !== FALSE); $this->assertTrue(strpos($content, "Deny from all") !== FALSE); $this->assertTrue(strpos($content, "Options None") !== FALSE); - $this->assertTrue(strpos($content, "Options +FollowSymLinks") !== FALSE); + $this->assertTrue(strpos($content, "Options +SymLinksIfOwnerMatch") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertFilePermissions($private . '/.htaccess', 0444); @@ -69,7 +69,7 @@ function testHtaccessSave() { $this->assertTrue(strpos($content, "Require all denied") !== FALSE); $this->assertTrue(strpos($content,"Deny from all") !== FALSE); $this->assertTrue(strpos($content,"Options None") !== FALSE); - $this->assertTrue(strpos($content,"Options +FollowSymLinks") !== FALSE); + $this->assertTrue(strpos($content,"Options +SymLinksIfOwnerMatch") !== FALSE); $this->assertTrue(strpos($content, "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003") !== FALSE); $this->assertFilePermissions($stream . '/.htaccess', 0444); diff --git a/core/vendor/.htaccess b/core/vendor/.htaccess index 50d210b..7ecb6a6 100644 --- a/core/vendor/.htaccess +++ b/core/vendor/.htaccess @@ -9,7 +9,25 @@ # Turn off all options we don't need. Options None -Options +FollowSymLinks + +# There are two options available for following symbolic links, +# SymLinksIfOwnerMatch and FollowSymLinks. +# +# Options +SymLinksIfOwnerMatch is the default and will only follow symbolic +# links for which the target file or directory is owned by the same user id +# as the link. This check provides important security on shared servers, and +# without it users may be able to access private files belonging to other users. +# However, there is a performance cost for checking the security of each link. +# See the Apache Documentation on this subject for a recommended configuration: +# http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks +Options +SymLinksIfOwnerMatch + +# Options +FollowSymLinks will follow all symbolic links regardless of owner. +# Use this option instead if you need to link to files owned by another user, +# or if you are on a private server and are tuning for maximum performance. +# Some web hosts do not allow FollowSymLinks and enabling the following line +# may cause all site pages to return a HTTP 500 Error. +#Options +FollowSymLinks # Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006