Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By chbvl on
New Drupal user here.
I have a simple site that I'm hosting on Bluehost. I received an automated notice today that I needed to upgrade to 7.24 b/c of a vulnerability. I followed all of the instructions and everything seems to have worked EXCEPT for the .htaccess modifications specified in SA-CORE-2013-003 with respect to the temporary files directory.
I was able to update the .htaccess file in the public directory, however, I have been unsuccessful with the /tmp directory. Admin->Reports->Status Report still shows that the "Temporary Files Directory" is "Not Fully Protected."
- admin/config/media/file-system states that my temporary directory is /tmp/
- when I browse to that directory, there is no .htaccess file
- I copied the .htaccess file from my public files directory to this location, and also verified that the contents of the .htaccess file were the same as those specified in the security bulletin
- I flushed the cached...
What am I missing? Thanks!
Comments
Same issue
I have followed all of the same steps as chbvl and am having the same error. I uploaded the .htaccess file as described in SA-CORE-2013-003. This resolved the error for my 2 public folder locations, however did not resolve the error with the /tmp folder.
My /tmp directory did not have a .htaccess file in it after updating the core files and I was receiving the error as above. I uploaded the same .htaccess file that I used successfully in the public folders directly into the /tmp folder. This error is still manifesting :(
Thanks in advance for any advice
You can ignore the error for
You can ignore the error for now, as it has no consequences, until a fix for the erroneous report can be published. Best to report an issue in the core queue.
+1
+1
+1
Same issue on several D6 sites..
Waiting for the fix..
Just in the process of
Just in the process of upgrading some 6.x sites on shared hosting and I do not have access to the /tmp folder...
Move "tmp" folder
Hi chbvl
I had this problem too, when i move "/tmp" folder to "sites/glinboy.com/files/tmp", error disappeared!
In this folder has this .htaccess
May be help you :)
The problem with /tmp is that
The problem with /tmp is that it's cleaned on every reboot, so I'm not sure if it's a good idea to put the .htaccess file there.
Should I change my Drupal config to use sites/default/files/tmp as the temporary directory? Is this the preferred solution? What file permissions/owner should this directory have?
No, you should not change
No, you should not change your Drupal config to have tmp in sites/default/files/tmp. Having tmp and private below the webroot is not recommended (but is supported). Ignore the error, until core has been fixed.
changing temporary folder is
changing temporary folder is so easy, go this path:
Configuration > File system
(Or much easier, just copy "admin/config/media/file-system" and add to end of domain; for example, http://glinboy.com/, is http://glinboy.com/admin/config/media/file-system; )
Now under Temporary directory field enter new path, "sites/default/files/tmp";
sure you make this folder under files directory;
I set permission to 755 and its work!
this folder use for temporary, don't worry about that;
(NOTE: may be you need make .htaccess under tmp folder)
I use it for my sites and everything work fine; Drupal is great!!!
Have Private and tmp outside of web root
But having your private or tmp folder in your public_html or whatever it is called is not secure.
you are good ,move the /tmp
you are good ,move the /tmp to sites/tmp ,problem solved.
#13 This fixed for me
#13 This fixed for me
just placed this into my /tmp/.htaccess & sites/default/files/.htaccess
Configuring the temporary directory for plup upload
#13 This fixed for me
just placed this into my /tmp/.htaccess & sites/default/files/.htaccess
Thanks this work for me.
/tmp different from shared hosting tmp folders
On many shared hosting platforms they set up a specific, per account tmp folder for you. We just went thought this with my company that has a number of sites on various shared hosting platforms. Some actually have a dedicated tmp folder for the account as previously mentioned which is a sibling of the public_html/www directory your drupal site is hosted in. So, instead of /tmp you would use ../tmp (for a path relative to drupal or the absolute path i.e., /home/user/tmp). If the host doesn't have one already set up you may want to create your own and again use the absolute path. Just make sure that the account can read into that folder (much like setting up the private files folder: https://drupal.org/documentation/modules/file "Managing file location and access")
While you can, obviously, use /tmp, as @tbm13 pointed out the actual /tmp folder is a system folder that gets flushed on reboot and/or any number of Sysadmin triggers. Not only that but /tmp is inaccessible to the public from apache, so putting an .htaccess file in there doesn't make sense on a number of levels. There should be some kind of filter that if you're using the true system /tmp directory the big scary error message doesn't show up.
+1. Waiting for an update to
+1. Waiting for an update to the core.
That's right it seems. Go to
That's right it seems. Go to Configuration/File System and changing /tmp to ../tmp fixes the error in the Status update page with the .24 release.
../tmp
This worked for me. Thanks.
This worked for me too
I'm on a shared hosting plan and this corrected the tmp issue and location. Thanks!
finally...
thank you for the info. "../tmp" fixed it for me in 7.27
it worked
Thanks for the info. "../tmp" also fixed it for me in 7.31 for a subdomain
Worked for me too.
Worked for me too.
Only took me 4 years to get around to fixing it. :P
Thank you!
I am on a shared hosting plan so that explains it better. I had made the change based on other posts but I had no idea why. Reasoning may help resolve other problems. Thanks again for the clarity.
thank you very much
It work for drupal 7.34
This is what you do...
Go to Configuration
-File System
Change your public file system path to "yourwebsitename.com"/sites/default/files (fixes error #1)
Change your temporary directory to home/"yourdatabasename"/tmp (fixes error #2)
*Do not include the quotation marks.
Confirmed.
Thanks Birdybird.
It worked !!!
Thank you so much
Did not work
Not sure if I did exactly what you indicated, but when I changed my public path to www.mysite.com/cms/sites/default/files it changed my image upload path to www.mysite.com/cms/www.mysite.com/cms/sites/files. Created path auto and ctools directories, too. Perhaps I should not have put the 'www.' there but it seems that it would not have helped. It did, however fix the error that you indicated.
Solution.
Thanks Birdybird for helping solve the #2 warning.
Place /tmp file at root of your Drupal installation with the new .htaccess file (solved error #1)
Changed -- Configuration > File system > Temporary directory to: home/"site database name"/tmp (fixed error #2)
*Replace "site database name" with the name of your database created at setup. No quotes.
I'm a bit confused here. I
I'm a bit confused here. I got this
And I read this -> https://drupal.org/SA-CORE-2013-003
I follow the instructions and the error gone. But I still want to know what's going on.
This issue has a bug repport open
There's a bug report here: https://drupal.org/node/2141065
The bug states that the /tmp folder might be protected (if you followed the instructions correctly) but the status reports doesn't get it right.
Not a Bug
This isn't a bug. The simple answer is to delete both .htaccess files from your /domain.com/sites/default/files folder and the /tmp folder located OUTSIDE of your drupal installation (typically at the root). Visit the file system page "(admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7)" and hit save. It will regenerate both .htaccess files for you.
The confusion comes in finding the tmp folder. Head to the root of your host and you should see the /tmp folder which is probably not located in the /home folder. People pointing to new temp files are just trying to bypass the intended tmp folder on your host.
That is the right way
What jimusik wrote is the most easy and efficient way to get the right .htaccess files at the right places.
Almost correct
I followed what 'jimusik' said but this only worked for my files folder. I didnt have a /httaccess file im my tmp folder.
Only removed one of the errors.
It certainly is a bug. Non
It certainly is a bug. Non webaccessible directories such as /tmp do not need a .htaccess.
Thank you jimusik
Thank you for the clear instructions. I wish the SA-CORE-2013-003 page had broken the text "Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page..." out of the paragraph it is in to emphasize it more, or maybe, if this works so well, emphasize this as the preferred way to do it instead of seemingly emphasizing the manual editing process instead. At least, that is how I read that page and was proceeding, unsuccessfully. I honestly DO try to read the instructions...
i change /tmp to /home/
i change /tmp to /home/[username]/tmp and it's work
I nowhere can find /tmp
I nowhere can find /tmp folder.
This "Not fully protected" message should not be visible in drupal lighttpd installations.
private and temp .htaccess contents
In the alert at https://drupal.org/SA-CORE-2013-003 states that, for D7 the .htaccess in the temp and private folders should include
deny from allIs this in ADDITION to the content sample provided in the alert:
For Drupal 7:
OR
do we just add that line "deny from all" to the .htaccess files in the private and temp directories?
tmp folder
Go to file-system and change /tmp to tmp, after saving drupal automaticaly creates everything in the root directory with an .htaccess file inside the tmp folder.
Fixed for me
Thanks pougas, that solved my problem!
same thanks!
same thanks!
====================================
Website:LEED Exam V4
Fixed for me too
Thank's Pougas.
But why is this error we have now with the 7.24?
Thanks pougas, solved problem!
Thanks pougas, that solved my problem!
/tmp file not found
OK, I found the public folder .htaccess file, updated it, and the error message went away.
..but the only tmp file I find is under cgi-bin directory. Is that directory the correct one to place an .htaccess file? Do some Drupal installs not use a tmp directory?
Drupal 7.2.4
Color me confused.
/tmp
Buenas,
El sitio Drupal 7.24 que me lanzaba el informe de error /tmp. He cambiado en Media/Sistema de archivos a ../tmp y error ha desaparecido, mi hosting es compartido en 1 and 1 y no tenia ningúna carpeta /tmp visible a traves de mi ftp.
Gracias un saludo a todos....
.htaccess is a very powerful
.htaccess is a very powerful file on Your server permissions should be owner - read user - read
"sites/default/ folder permissions should be set to owner - read\execute 500" and Your settings.php file to owner - read 400
and please move Your upload files folder out of sites/default to some place like sites/files
You have to hit save at admin/config/media/file-system to create Your /tmp folder plus You might have to change the name to something like tmp2 because Your server already uses tmp and will not show it.
Just delete the .htaccess
Just delete the .htaccess file from your tmp folder, drupal will make it again and remove the message.
Drupal does not find the tmp folder
It does not work because Drupal does not find the tmp folder.
Remove slash
Make a dir named "tmp" in root with 777 permissions
Remove slash in Administration » Configuration » Media: File system » Temporary directory:
change "/tmp" into "tmp"
Automatic .htaccess is made in this tmp-dir
Error in status report dissappeared.
My Webserver is secured on a higher level to prevent unautorised access even if permission are 777.
Still no Luck
I get the "exists but not writeable" despite owner being apache (centos) and with new .htaccess or no .htaccess. /tmp only works with no .htaccess. Thought it was SELINUX issue but that is disabled. I can make it work with a 777 but hate having it wide open despite not sharing my server. And dirs are +x too. PITA as this was just a minor upgrade from 7.20. And because not writeable, drupal won't make a .htaccess in the files dir. Got similar deal with ctools/css even though it is also owned by httpd user.
Fix in the works CentOS 5.8 Plesk
Can't tell yet how widespread this is, but drupal is NOT writing files as apache or www-data but as the user set up for the web service in Plesk. I'm guessing some change was made in Apache that is changing httpd to be run as a different user depending on domain. Surely this is server specific config issue and not a Drupal issue as plenty of folks are not having this problem. It explains why 777 works but no need for that now. Chown recursively through the files dir makes it work and allows uploads. Fixes the ctools/css permission error as well.
Thanks
That's right it seems. Go to
Posted by royerd on November 22, 2013 at 1:29pm new
That's right it seems. Go to Configuration/File System and changing /tmp to ../tmp fixes the error in the Status update page with the .24 release.
solve my problem
../tmp
This worked for me on a second and different hosting company as my dreamhost account but I'm not clear where the ../ points. I can't find a generated tmp file in the parent directory with .htaccess but it seemed to fix the problem. Anyone out there with a better understanding where ../tmp points and why it works? I don't like the idea of putting a temp folder like previous suggestions inside the drupal install. That seems to add a level of access to that folder which this update is supposedly limiting.
Just Upgraded - Same Problem - Consensus on the Fix?
I just upgraded and have the same problem. There seem to be a lot of different solutions suggested here (it's a bug...need to change configuration settings...delete files). Any consensus on what the "right" fix is?
Just delete and resave File System page
I found that jimusik's suggestion worked great and the newly worded .htaccess files are created and seem to pass the report page's test.
My way to resolve these BUGs: quick & dirty actions
1. For "Temporary directory": change from " /temp " (or other path) into " yourdomain.xxx/admin/config/media/file-system " to " temp " and SAVE
2. For "Public file system path": remove current .htacces file from /sites/default/files and after go to "yourdomain.xxx/admin/config/media/file-system" and press SAVE
3. For "Private file system path": remove current .htacces file from /sites/default/files/private and after go to "yourdomain.xxx/admin/config/media/file-system" and press SAVE
These simple three actions make to return smile on your face :)
Ciao
Fabrizio
Possible solutions
Hello there,
I found this solutions for remove all warning.
(don't forgot to copy the new .htaccess in the correct folder)
Go to "/admin/config/media/file-system"
1. For "Temporary directory": change from " /tmp " to " ../tmp".
2. For "Public file system path": change from "/sites/default/files" to "../sites/default/files".
3. For "Private file system path": change from "/sites/default/private" to "../sites/default/private".
Then all works fine for me.
Bye bye,
Leonardo
It Worked!
Thank you @pampa80! this worked for me.
On bluehost this worked with
On bluehost this worked with one change. Only the "/tmp" setting needed to be changed to "../tmp" Steps #2 and #3 were not needed.
Temp file error - solved for me
Hi
I just moved servers and got the errors as above. The main difference between the two servers is that the new server has "AllowOverride None". I thought I'd try everyone's solution, but I came up with my own?
set chmod 777 for all folders under files/
in the .htaccess file, I commented out "Deny from all" so my file looks like this:
And I solved this issue at 4am :P
Malcs
../tmp
This worked for me. Thanks
Confused beyond belief
I've updated to 7.26 and still have:
public files directory not fully protected
http://drupal.org/SA-CORE-2013-003
Looking this up it mentions .htaccess 19 times. I don't understand how this file functions and from the description of the security risk, I don't know how to duplicate or test for the problem. So, how do I know when I'm finished following all these instructions that everything is done properly. Then on top of all that, it says in here to ignore the error report.
I don't know what to do from here.
add the complete path to the tmp directory
on the files page Home » Administration » Configuration » Media
add the complete path to the tmp directory which should be above your public_html folder this is probably something like home/user_name/tmp
Worked for me
This worked for me, after ..tmp failed (error message said something like Drupal is unable to write/create file/directory).
Changed
/tmp
to
home/myusername/tmp
that Worked form me too Thank you - rwscid
home/myusername/tmp
great
../tmp worked for me. thanks.
Drupal 7.32 for tmp and
Delete existing .htaccess files from your tmp and private folders.
Run cron to create the missing .htaccess files.
Drupal 7.32 .htaccess code that is created for tmp and private folders:
Is Different
The .htaccess code I posted above is indeed different from earlier versions of Drupal 7. I thought I had mine correct as it was correct before, but after the Drupal version where this issue first started popping up it did change and now includes the lower part of that code after "Options +FollowSymLinks".
Upgrade to 7.32
When will this .htaccess security issue be included in the upgrades? I have made the changes in all of the places that I can find the file and I still get the error in the configuration status page.
When will this .htaccess
It won't. Drupal generates the file for you. Follow the instructions of the previous poster.
fix: name temporary files directory to : ../tmp
You need to be explicit about the notation for identifying the temporary directory relative to the web root directory. If they are both contained within the same parent directory then use the notation:
../tmpThe directory structure that supports this notation might look like this:
/parent_dir
/tmp
/public_html (www)
[DRUPAL ROOT directory files]
sites
default
...
...
cheers,
kev
Another issue occured
After an error [SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities] notice showed up in my site's status report page, I rewrote the content according to this https://www.drupal.org/SA-CORE-2013-003, and the error itself was solved and gone.
but it turned out that all css and pictures of my site were entirely lost!!
it may mean that all the thing from sites/default/files are not loaded now.
What I did was that just changing the content of .htaccess at sites/default/files.
now, I tried to change the content of .htaccess back to former one, but the gone css and pictures still can't be applied again...
in my case, the .htaccess was in sites/default/files, and I have changed permissions of around sites,default,files folders and the .htaccess and setting.php, because of disallowed rewriting to the .htaccess, may be one of those caused the problem. but I also changed the permission back to how those should be, according to drupaler's tips.
Im using Drupal 7.34, I don't know how to fix it. please someone could help me?
Delete the .htaccess file, go
Delete the .htaccess file, go to Admin -> Configuration -> Media -> File system, and click 'save' at the bottom of the page. This should recreate the .htaccess file, and ideally everything should work then.
I tried it but...
Hi Jaypan, I tried exactly what you said and drupal surely recreated a new .htaccess at sites/default/files.
but nothing happened...
on the other hand when I try to open(see) the [files] directory, ftp client soft always show the message below with an error sound.
< Error: 2 file(s) which are not JIS name have not been displayed. >
not sure if this is related to that whole files directory not loaded circumstance.
If that didn't solve the
If that didn't solve the problem, the problem is likely somewhere else. Maybe you have another .htaccess in a parent directory that is doing something funny. You may want to also look at the .htaccess in the root directory to see if you have any custom modifications in there that may be causing your problems.
Never modified root .htaccess
I think I have no any modification in the root .htaccess, and Im also not sure what kind of modification might cause a problem.
But drupal is made out of various components and every small change might affect others, so I should research it.
Any suggestion of where to look at in the root .htaccess?
Look for something that
Look for something that refers to image files I suppose (.jpg, .png etc).
I looked inside the root .htaccess.
Thank you for your help Jaypan.
I don't find any line specially related to pictures,
but there are some line including about css.
(my real site's name is replaced with ********, as it can't be published yet.)
________________________________________________________________
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.********\.com
RewriteRule ^(.*) http://********.com/$1 [R=301,L]
Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
Order allow,deny
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Follow symbolic links in this directory.
Options +SymLinksIfOwnerMatch
# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php
# Set the default handler.
DirectoryIndex index.php index.html index.htm
# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_environment_initialize() in
# includes/bootstrap.inc for settings that can be changed at runtime.
# PHP 5, Apache 1 and 2.
php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
# Requires mod_expires to be enabled.
# Enable expirations.
ExpiresActive On
# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
# Rewrite JavaScript callback URLs of the form js.php?q=x.
RewriteCond %{REQUEST_URI} ^\/([a-z]{2}\/)?js\/.*
RewriteRule ^(.*)$ js.php?q=$1 [L,QSA]
RewriteCond %{QUERY_STRING} (^|&)q=((\/)?[a-z]{2})?(\/)?js\/.*
RewriteRule .* js.php [L]
# Various rewrite rules.
RewriteEngine on
# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
php_value upload_max_filesize 10M
php_value post_max_size 10M
Got a small progress.
Today, my situation got a small progress that when I UNCHECKED "Aggregate and compress CSS files" from admin/development/performance, then the theme&css are almost back to entire site's looking. but all pictures of my site are still missing, not sure those all are from sites/default/files...?
You probably have an error in
You probably have an error in your CSS somewhere. Validate it.
got recovered.
Hi Jaypan. I found a solution that opening the .htaccess at sites/default/files and change this code [Options +SymLinks] to [Options +SymLinksIfOwnerMatch], then all pictures came back properly,,,don't know why. but thank you very much for your great help!!!
is .htaccess required for tmp
i'm struggling to resolve the tmp folder issue. I've shared server and my .htaccess in drupal root doesn't work, which mean AllowOverride might have None value, however the hosting team confirms that it is set to All as per my request.
I always get the below error when upload a files from content > files > add new file
•The file could not be saved. An unknown error has occurred.
•The file in the Upload a new file field was unable to be uploaded.
when I go to content upload and hit the upload image icon on ckeditor and try to upload the image from ckfinder popup it says
no temporary folder found
i'm stuck. please help and please answer all my questions above.
change path from /tmp to tmp
just double check the path to your drupal tmp folder.
change path from /tmp to tmp (if drupal is in the public_html folder)
you dont need to create the .htaccess, are already there (drupal 7.38)
tmp on Bluehost
I'm on Bluehost and some people have said changing the temporary folder from /tmp to ../tmp helped them. That didn't solve the issue the for me. Looking at my folder structure it seemed to me that it should be ../../tmp, so I changed it and that worked.
---------------------------------------------------------------
My drupal site: Vacation-Places
in shared host, create subfolder
in /admin/config/media/file-system, put: /tmp/some-subfolder-name/
(save)
drupal creates sub folder and .htaccess in subfolder.
This setup prevents collisions with files created by another users.
by example: echo some-secret | sha1sum
c4379dc46a418d97e906c3465275091fb3dbaace
-> /tmp/c4379dc46a418d97e906c3465275091fb3dbaace