In light of todays highly critical security update, I thought it would great if Drupal had a mechanism to allow the site admins the choice to overwrite the .htaccess file if they so choose.
Comment | File | Size | Author |
---|---|---|---|
#33 | 2141137-nr-bot.txt | 170 bytes | needs-review-queue-bot |
#24 | drupal-overwrite_htaccess-2141137-24.patch | 1.13 KB | pguillard |
#3 | drupal-overwrite_htaccess-2141137-3.patch | 973 bytes | cilefen |
#1 | drupal-overwrite_htaccess-2141137-1.patch | 812 bytes | humansky |
Comments
Comment #1
humansky CreditAttribution: humansky commentedI've attached a simple API update that will allow users to run
and it will overwrite the .htaccess file. You can use the code with drush:
drush @sites -y ev "file_ensure_htaccess(TRUE)"
Comment #2
cilefen CreditAttribution: cilefen commentedThe new param should be documented.
Comment #3
cilefen CreditAttribution: cilefen commentedRe-rolled with the parameter documented as in the related function.
Comment #4
cilefen CreditAttribution: cilefen commentedFile permissions present a problem, for example, when running with drush:
humansky pointed out on IRC that
sudo drush ...
takes care of this issue.Comment #5
cilefen CreditAttribution: cilefen commentedOtherwise, it works.
Comment #6
cilefen CreditAttribution: cilefen commentedComment #7
David_Rothstein CreditAttribution: David_Rothstein commentedThanks for starting this. We discussed pretty seriously in the security team the idea of attempting to include an automatic update as part of the security release, but it was too risky for a security release and we didn't have enough resources to fully test it.
We should seriously consider it now though, given that the .htaccess file seems to be working fine on pretty much everyone's environment (#2141319: 7.24 update breaks theme: .htaccess: Invalid command '\xa0' is the only issue I saw with problems, but I'm not sure if they're reproducible) and we can discuss it publicly and get more testers.
There's some starter code from the security issue that I can find and try to post here, although I don't have time right this moment.
Although I suppose the patch here is a pretty good improvement by itself (even without an automatic update)...
Comment #8
Fabianx CreditAttribution: Fabianx commentedRTBC, this just makes an existing API easier to use.
Do we need a D8 patch first?
Comment #11
Fabianx CreditAttribution: Fabianx commentedComment #14
Fabianx CreditAttribution: Fabianx commentedComment #15
David_Rothstein CreditAttribution: David_Rothstein commentedYes, this same code exists in Drupal 8 now (it might not have when this was originally written) so it should be fixed there first.
Going to lower the priority, though, since this is really just improving the API... We could follow up with a separate issue (after this is backported to Drupal 7) to actually run automated updates for Drupal 7 sites, but even that probably wouldn't be critical at this point.
Still think this would be great to get in, though!
Comment #16
Fabianx CreditAttribution: Fabianx commentedRe-classifying as a bug.
Comment #19
20th CreditAttribution: 20th commentedComment #21
David_Rothstein CreditAttribution: David_Rothstein commentedThis is now at the linked issue.
Comment #24
pguillard CreditAttribution: pguillard commentedPatch rerolled fr 8.5.x and slightly adapted.
Comment #30
apadernoComment #33
needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commentedThe Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.
Comment #34
volegerThe composer scaffold plugin allows you to prepend or append the additions for the core .htaccess file. Also, it will enable us to replace it entirely. So it is not the issue of Drupal 10-based projects. I am moving this issue back to the 7.x queue.