diff --git a/includes/file.inc b/includes/file.inc
index d3ac87e..0e9065c 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -463,7 +463,8 @@ function file_ensure_htaccess() {
}
/**
- * Creates a .htaccess file in the given directory.
+ * Creates a .htaccess file in the given directory for Apache web servers or
+ * a web.config file for IIS web servers.
*
* @param $directory
* The directory.
@@ -471,7 +472,7 @@ function file_ensure_htaccess() {
* FALSE indicates that $directory should be an open and public directory.
* The default is TRUE which indicates a private and protected directory.
* @param $force_overwrite
- * Set to TRUE to attempt to overwrite the existing .htaccess file if one is
+ * Set to TRUE to attempt to overwrite the existing file if one is
* already present. Defaults to FALSE.
*/
function file_create_htaccess($directory, $private = TRUE, $force_overwrite = FALSE) {
@@ -481,22 +482,29 @@ function file_create_htaccess($directory, $private = TRUE, $force_overwrite = FA
else {
$directory = rtrim($directory, '/\\');
}
- $htaccess_path = $directory . '/.htaccess';
+ // Unless we discover another httpd server, write an Apache-style .htaccess file
+ $htaccess_filename = '.htaccess';
+ $server_is_iis = FALSE;
+ if (preg_match('/IIS/', $_SERVER['SERVER_SOFTWARE'])) {
+ $server_is_iis = TRUE;
+ $htaccess_filename = 'web.config';
+ }
+ $htaccess_path = $directory . DIRECTORY_SEPARATOR . $htaccess_filename;
if (file_exists($htaccess_path) && !$force_overwrite) {
- // Short circuit if the .htaccess file already exists.
+ // Short circuit if the file already exists.
return;
}
- $htaccess_lines = file_htaccess_lines($private);
+ $htaccess_lines = ($server_is_iis) ? file_htaccess_lines($private) : file_webconfig_lines($private);
- // Write the .htaccess file.
+ // Write the .htaccess (Apache) or web.config (IIS) file.
if (file_put_contents($htaccess_path, $htaccess_lines)) {
drupal_chmod($htaccess_path, 0444);
}
else {
$variables = array('%directory' => $directory, '!htaccess' => '
' . nl2br(check_plain($htaccess_lines)));
- watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: !htaccess", $variables, WATCHDOG_ERROR);
+ watchdog('security', "Security warning: Couldn't write " . $htaccess_filename . " file. Please create a " . $htaccess_filename . " file in your %directory directory which contains the following lines: !htaccess", $variables, WATCHDOG_ERROR);
}
}
@@ -540,6 +548,58 @@ EOF;
}
/**
+ * Returns the IIS-style web.config lines that Drupal writes to file directories.
+ *
+ * @param $private
+ * (Optional) Set to FALSE to return the web.config lines for an open and
+ * public directory. The default is TRUE, which returns the web.config lines
+ * for a private and protected directory.
+ *
+ * @return
+ * A string representing the desired contents of the web.config file.
+ *
+ * @see file_create_htaccess()
+ */
+function file_webconfig_lines($private = TRUE) {
+ if ($private) {
+ // Deny ALL access.
+ // See: https://msdn.microsoft.com/en-us/library/8aeskccd%28v=vs.85%29.aspx
+ $lines = <<
+
+
+
+
+
+
+EOF;
+ }
+ else {
+ // Clear the handlers for script execution. Only allow serving of flat files.
+ // See: https://groups.drupal.org/node/226059
+ $lines = <<
+
+
+
+
+
+
+
+EOF;
+ }
+
+ return $lines;
+}
+
+/**
* Loads file objects from the database.
*
* @param $fids