Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In security a common (and good) approach is to deny all access to a resource and specify what can access it specifically. Often this is done the other way around; allowing access to everything and specifyng what is not allowed.
As described in http://drupal.org/node/93843 I am suggesting to change the following in .htaccess:
# Protect files and directories from prying eyes.
<FilesMatch "...">
Order deny,allow
Deny from all
</FilesMatch>
to
# Protect files and directories from prying eyes.
<FilesMatch "...">
Order allow,deny
</FilesMatch>
Because the latter is the correct implementation of "Default = Deny, Allow what is set" and is thus technically 'more correct'.
Comment | File | Size | Author |
---|---|---|---|
htaccess_10.patch | 452 bytes | Jax | |
Comments
Comment #1
Morbus IffYou know, I was thinking about this again this morning, and I think our /existing/ implementation is /more secure/ than this suggested patch. Consider a badly configured Apache that has document roots set for "Allow from all" - this would override this suggested patch, and give everyone access to our FilesMatch. Likewise, there's no "Allow from none" we can put in here to stop that from happening. With that consideration said, I think it's safer to remain with what we have, even though it is a default whitelisting, then a global blacklist.
Comment #2
Morbus IffI think we should probably patch a comment into the .htaccess with the reason why we're doing this "wrong", quote unquote - to protect from upstream bad configurations (like the "Allow from all" I just mentioned).
Comment #3
Jax CreditAttribution: Jax commentedActually it seems an Order statement voids all previous Allow/Deny statements.
When I go to the index.php file in down it gives a forbidden. I'll start looking for documentation about this.
Comment #4
Jax CreditAttribution: Jax commentedActually the section you quoted in the forum topic is relevant here. If the "Allow from" statements were not voided from a new Order you should contact apache2.org to update their documentation to include your warning.
Comment #5
Morbus IffI'd want you to test a few more scenarios:
1) Make /.htaccess "Order Allow,Deny\nAllow from all"
2) Make /.htaccess simply "Allow from all".
3) Make [Directory /path/to/your/down/directory]\nOrder Allow,Deny\nAllow from all[/Directory] in your httpd.conf
Comment #6
Jax CreditAttribution: Jax commentedWith
I get a forbidden on the index.php
With:
I still get a forbidden.
With:
(I restarted the webserver after the modification) and no /.htaccess It still gives forbidden.
Comment #7
Morbus IffCan you modify the third, the one in httpd.conf, to point /directly/ to your /down/ directory, as I demo'd?
Comment #8
Jax CreditAttribution: Jax commentedWith:
And no .htaccess in "/home/olivier/public_html/tmp/down" I can get to the index.php but when I activate the .htaccess in down:
I get a forbidden as intended.
Comment #9
Morbus IffIn which case, I'm fine with the patch, though could care little if it actually gets in. To some degree, even though the other one is "wrong" in the sense of blacklisting/whitelisting, I feel it's also more obvious at an initial glance (the "Deny from all", being explicit, is telling, compared to just "Order allow,deny", which innocently seems to suggest we allow everything first).
Comment #10
drummCommitted to HEAD.
Comment #11
(not verified) CreditAttribution: commentedComment #12
Senpai CreditAttribution: Senpai commentedJust a quick follow-up to ask if one of you would roll that .htaccess "innocent comment" into HEAD. You know, the one that says, "The 'Order allow,deny' blocks access to all the files listed, even though it appears at first glance to leave the barn door open."
I was upgrading sites from 4.7.6 to 5.1 today, and, while comparing my old htaccess to the new one, noticed this change and became alarmed. A little tiny note, even half as long as what I've written above, would soothe some nerves among those who don't use a stock htaccess file and thus can't simply replace their old one with your new version.
"Order allow,deny is the correct way of keeping intruders away from precious files." There. that'd do it.
--
Senpai
Comment #13
drummNo patch is attached. And we don't need to patronize people with '"precious" files'.
Comment #14
Rainy Day CreditAttribution: Rainy Day commentedThere’s an explanation of this issue in the Apache documentation, which may be useful for anyone who noticed the change and was wondering about the security implications. Synopsis: This change is more secure.
Comment #15
zeta ζ CreditAttribution: zeta ζ commentedShould this be closed?
Comment #16
marcingy CreditAttribution: marcingy commented