diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
index 8f643c9..643cb19 100644
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
+++ b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
@@ -58,17 +58,33 @@ if ($this->redirection) {
# Error handler for Drupal > 4.6.7
site_path; ?>/files">
- SetHandler This_is_a_Drupal_security_line_do_not_remove
+
+ SetHandler This_is_a_Drupal_security_line_do_not_remove
+
+ Options None
+ Options +FollowSymLinks
+
+ # If we know how to do it safely, disable the PHP engine entirely.
+
+ php_flag engine off
+
# Prevent direct reading of files in the private dir.
# This is for Drupal7 compatibility, which would normally drop
# a .htaccess in those directories, but we explicitly ignore those
site_path; ?>/private/" >
- SetHandler This_is_a_Drupal_security_line_do_not_remove
- Deny from all
- Options None
- Options +FollowSymLinks
+
+ SetHandler This_is_a_Drupal_security_line_do_not_remove
+
+ Deny from all
+ Options None
+ Options +FollowSymLinks
+
+ # If we know how to do it safely, disable the PHP engine entirely.
+
+ php_flag engine off
+
diff --git a/http/Provision/Config/Apache/vhost.tpl.php b/http/Provision/Config/Apache/vhost.tpl.php
index acb5418..5cacca4 100644
--- a/http/Provision/Config/Apache/vhost.tpl.php
+++ b/http/Provision/Config/Apache/vhost.tpl.php
@@ -55,17 +55,33 @@ if ($this->redirection || $ssl_redirection) {
# Error handler for Drupal > 4.6.7
site_path; ?>/files">
- SetHandler This_is_a_Drupal_security_line_do_not_remove
+
+ SetHandler This_is_a_Drupal_security_line_do_not_remove
+
+ Options None
+ Options +FollowSymLinks
+
+ # If we know how to do it safely, disable the PHP engine entirely.
+
+ php_flag engine off
+
# Prevent direct reading of files in the private dir.
# This is for Drupal7 compatibility, which would normally drop
# a .htaccess in those directories, but we explicitly ignore those
site_path; ?>/private/" >
- SetHandler This_is_a_Drupal_security_line_do_not_remove
- Deny from all
- Options None
- Options +FollowSymLinks
+
+ SetHandler This_is_a_Drupal_security_line_do_not_remove
+
+ Deny from all
+ Options None
+ Options +FollowSymLinks
+
+ # If we know how to do it safely, disable the PHP engine entirely.
+
+ php_flag engine off
+
diff --git a/platform/provision_drupal.drush.inc b/platform/provision_drupal.drush.inc
index 901ad5b..fc85ae4 100644
--- a/platform/provision_drupal.drush.inc
+++ b/platform/provision_drupal.drush.inc
@@ -274,6 +274,69 @@ function _provision_drupal_create_directories($url = NULL) {
}
/**
+ * Call the core file_create_htaccess() functions.
+ *
+ * Unlink the files first to avoid permission issues.
+ * If drupal already created the file then it's owned by e.g. www-data and aegir can not chmod those.
+ *
+ * @see https://drupal.org/SA-CORE-2013-003
+ */
+function _provision_drupal_ensure_htaccess_update() {
+
+ if (drush_drupal_major_version() == 7) {
+
+ // Copied from modules/system/system.install system_requirements()
+ $htaccess_files['public://.htaccess'] = array(
+ 'directory' => variable_get('file_public_path', conf_path() . '/files'),
+ );
+ if ($private_files_directory = variable_get('file_private_path')) {
+ $htaccess_files['private://.htaccess'] = array(
+ 'directory' => $private_files_directory,
+ );
+ }
+ $htaccess_files['temporary://.htaccess'] = array(
+ 'directory' => variable_get('file_temporary_path', file_directory_temp()),
+ );
+ foreach ($htaccess_files as $htaccess_file => $info) {
+ // Check for the string which was added to the recommended .htaccess file
+ // in the latest security update.
+ if (!file_exists($htaccess_file) || !($contents = @file_get_contents($htaccess_file)) || strpos($contents, 'Drupal_Security_Do_Not_Remove_See_SA_2013_003') === FALSE) {
+
+ // Aegir specific
+ @unlink($htaccess_file);
+ file_create_htaccess($info['directory'], FALSE);
+ drush_log(dt('Updated @file to match http://drupal.org/SA-CORE-2013-003', array('@file' => $info['directory'] . '/.htaccess')), 'notice');
+ $path = file_stream_wrapper_get_instance_by_uri($htaccess_file)->getDirectoryPath();
+ d()->service('http')->sync(d()->root . '/' . $info['directory'] . '/.htaccess');
+ }
+ }
+ }
+ elseif (drush_drupal_major_version() == 6 && function_exists('file_create_htaccess')) {
+
+ // Copied from modules/system/system.install system_requirements()
+ $htaccess_files['files_htaccess'] = array(
+ 'directory' => file_directory_path(),
+ );
+ $htaccess_files['temporary_files_htaccess'] = array(
+ 'directory' => file_directory_temp(),
+ );
+ foreach ($htaccess_files as $key => $info) {
+ // Check for the string which was added to the recommended .htaccess file
+ // in the latest security update.
+ $htaccess_file = $info['directory'] . '/.htaccess';
+ if (!file_exists($htaccess_file) || !($contents = @file_get_contents($htaccess_file)) || strpos($contents, 'Drupal_Security_Do_Not_Remove_See_SA_2013_003') === FALSE) {
+
+ // Aegir specific
+ @unlink($info['directory'] . '/.htaccess');
+ file_create_htaccess($info['directory'], NULL);
+ drush_log(dt('Updated @file to match http://drupal.org/SA-CORE-2013-003', array('@file' => $info['directory'] . '/.htaccess')), 'notice');
+ d()->service('http')->sync(d()->root . '/' . $info['directory'] . '/.htaccess');
+ }
+ }
+ }
+}
+
+/**
* Runs an external script to reload all the various drupal caches
*/
function _provision_drupal_rebuild_caches() {
diff --git a/platform/verify.provision.inc b/platform/verify.provision.inc
index f3c3e59..c72c72c 100644
--- a/platform/verify.provision.inc
+++ b/platform/verify.provision.inc
@@ -85,6 +85,7 @@ function drush_provision_drupal_pre_provision_verify() {
// This is the actual drupal provisioning requirements.
_provision_drupal_create_directories();
_provision_drupal_maintain_aliases();
+ _provision_drupal_ensure_htaccess_update();
// Requires at least the database settings to complete.
_provision_drupal_create_settings_file();