Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is a 7.x backport of the parent issue.
Drupal should support RFC 5785, which establishes a .well-known URI location: https://tools.ietf.org/html/rfc5785
These URIs are registered with IANA: https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
This patch whitelists the .well-known directory in Drupal's .htaccess directive which blocks access to all hidden directories.
Nginx users can allow the .well-known directory like this (above the general line to block hidden directories and other stuff):
Comment | File | Size | Author |
---|---|---|---|
#7 | htaccess-no-tests-2847325-7.x.patch | 1.16 KB | sammuell |
Comments
Comment #2
sammuell CreditAttribution: sammuell commentedHere's a 7.x patch including tests.
Comment #3
sammuell CreditAttribution: sammuell commentedComment #5
sammuell CreditAttribution: sammuell commentedHmm, the patch works locally. It seems to be an issue with the automated testing clients. Anyone has an idea?
Comment #6
John Morahan CreditAttribution: John Morahan as a volunteer commentedWell, if the ownership and permissions are correctly configured (which I assume they are on the testing clients) they won't have write access to
drupal_mkdir(DRUPAL_ROOT . '/.well-known');
so that won't work.Comment #7
sammuell CreditAttribution: sammuell commentedToo bad, in that case there won't be any automated tests. Here's the parent issue's patch without the tests.
Comment #8
John Morahan CreditAttribution: John Morahan as a volunteer commentedThe patch makes the same changes to .htaccess as the combined two D8 patches from the parent issue.
The regular expressions are the same as the ones that were already reviewed on the parent issue. I reviewed them again and they still look correct.
I repeated the tests that I ran locally on the parent issue, with the same successful results:
There's a separate issue #2699701: Testing RFC 5785 Support to add tests for this in D8, so I guess that would be backported separately when it's done...?
Comment #9
DamienMcKennaI can confirm this helped me get the letsencrypt system working on a site.
Comment #10
mrconnerton CreditAttribution: mrconnerton commentedI can also confirm this worked for me + letsencrypt.
Comment #11
xmacinfoI believe it's time to commit this patch.
Drupal 7 should support Let's Encrypt out of the box too.
Comment #12
stefan.r CreditAttribution: stefan.r commentedComment #13
sammuell CreditAttribution: sammuell commentedIs there any other step missing except of the actual commit to core?
Comment #14
jeffschulerThis allowed me to get LetsEncrypt/Certbot working. Thank you!
Comment #15
stefan.r CreditAttribution: stefan.r commentedWe're aiming to get this into next week's release.
Comment #16
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedCommitted to 7.x - thanks!
I added a note about this to CHANGELOG.txt. Not sure if we want a change notice also? - there is one that was written for Drupal 8 at https://www.drupal.org/node/2661732 but it was never published because it has some problems.
As far as I can see, we're still blocking this for IIS servers in web.config, but it seems fine to fix it for Apache first. We should have a followup issue for IIS.
Comment #18
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedEh, I was going to file an issue about IIS, but the web.config file is pretty different for Drupal 7 and Drupal 8 and I'm not even sure if it's being blocked there or not... so I'll leave that for someone else to do if it turns out to be an issue after all.