I'm getting the following error:
Executable PHP in files directory
...
The .htaccess file exists but does not contain the correct content. It is possible it's been maliciously altered.
I've manually compared the contents of sites/default/files/.htaccess with the output of file_htaccess_lines function, and it matches perfectly.
The .htaccess file is 644, and the files folder is 755.
The code in security_review.inc on line 642 reads:
// Text from includes/file.inc.
$expected = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
if ($contents !== $expected) {
$result = FALSE;
$check_result_value[] = 'incorrect_htaccess';
}
This code is too brittle, and too easy to get out of sync with core.
The following code compares the entire output of file_htaccess_lines() function with the actual file contents (stripping whitespace, which was causing issues for me as well).
// Text from includes/file.inc.
$expected = file_htaccess_lines(FALSE);
if (trim($contents) !== trim($expected)) {
$result = FALSE;
$check_result_value[] = 'incorrect_htaccess';
}
Patch to follow.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | security_review-correctly-analyze-htaccess-2242609-2.patch | 654 bytes | jwilson3 |
| #1 | security_review-correctly-analyze-htaccess-2242609.patch | 780 bytes | jwilson3 |
Comments
Comment #1
jwilson3Comment #2
coltraneHi. Thank you for this, but please update your patch against 7.x-1.x-dev which holds #2141217: Update htaccess content check to support Drupal 7.24
I think the only difference is the trim().
Comment #3
jwilson3Whoops should have checked dev first, here you go.
Comment #5
coltraneCommitted. Thanks!
I plan to get a new stable release out soon.