In light of todays highly critical security update, I thought it would great if Drupal had a mechanism to allow the site admins the choice to overwrite the .htaccess file if they so choose.

CommentFileSizeAuthor
#33 2141137-nr-bot.txt170 bytesneeds-review-queue-bot
#24 drupal-overwrite_htaccess-2141137-24.patch1.13 KBpguillard
#3 drupal-overwrite_htaccess-2141137-3.patch973 bytescilefen
#1 drupal-overwrite_htaccess-2141137-1.patch812 byteshumansky
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

humansky’s picture

humansky CreditAttribution: humansky commented
FileSize
drupal-overwrite_htaccess-2141137-1.patch812 bytes

I've attached a simple API update that will allow users to run 

file_ensure_htaccess(TRUE)

and it will overwrite the .htaccess file. You can use the code with drush:

drush @sites -y ev "file_ensure_htaccess(TRUE)"

cilefen’s picture

cilefen CreditAttribution: cilefen commented

The new param should be documented.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
FileSize
drupal-overwrite_htaccess-2141137-3.patch973 bytes

Re-rolled with the parameter documented as in the related function.

cilefen’s picture

cilefen CreditAttribution: cilefen commented

File permissions present a problem, for example, when running with drush:

file_put_contents(temporary:///.htaccess): failed to open stream: "DrupalTemporaryStreamWrapper::stream_open" call failed file.inc:498                                       [warning]
WD security: Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your temporary:// directory which contains the following lines...

humansky pointed out on IRC that sudo drush ... takes care of this issue.

cilefen’s picture

cilefen CreditAttribution: cilefen commented

Otherwise, it works.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Status: Active » Needs review
David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Category: Feature request » Task
Priority: Normal » Critical

Thanks for starting this. We discussed pretty seriously in the security team the idea of attempting to include an automatic update as part of the security release, but it was too risky for a security release and we didn't have enough resources to fully test it.

We should seriously consider it now though, given that the .htaccess file seems to be working fine on pretty much everyone's environment (#2141319: 7.24 update breaks theme: .htaccess: Invalid command '\xa0' is the only issue I saw with problems, but I'm not sure if they're reproducible) and we can discuss it publicly and get more testers.

There's some starter code from the security issue that I can find and try to post here, although I don't have time right this moment.

Although I suppose the patch here is a pretty good improvement by itself (even without an automatic update)...

Fabianx’s picture

Fabianx CreditAttribution: Fabianx commented
Status: Needs review » Reviewed & tested by the community

RTBC, this just makes an existing API easier to use.

Do we need a D8 patch first?

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 3: drupal-overwrite_htaccess-2141137-3.patch, failed testing.

Status: Needs work » Needs review

Fabianx queued 3: drupal-overwrite_htaccess-2141137-3.patch for re-testing.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx commented
Status: Needs review » Reviewed & tested by the community

Status: Reviewed & tested by the community » Needs work

The last submitted patch, 3: drupal-overwrite_htaccess-2141137-3.patch, failed testing.

Status: Needs work » Needs review

Fabianx queued 3: drupal-overwrite_htaccess-2141137-3.patch for re-testing.

Fabianx’s picture

Fabianx CreditAttribution: Fabianx commented
Status: Needs review » Reviewed & tested by the community
David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 7.x-dev » 8.0.x-dev
Priority: Critical » Normal
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs backport to D7

Yes, this same code exists in Drupal 8 now (it might not have when this was originally written) so it should be fixed there first.

Going to lower the priority, though, since this is really just improving the API... We could follow up with a separate issue (after this is backported to Drupal 7) to actually run automated updates for Drupal 7 sites, but even that probably wouldn't be critical at this point.

Still think this would be great to get in, though!

Fabianx’s picture

Fabianx CreditAttribution: Fabianx commented
Title: Give the option to overwrite the .htaccess file » The .htaccess file cannot be overwritten
Category: Task » Bug report
Issue tags: +Security

Re-classifying as a bug.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

20th’s picture

20th CreditAttribution: 20th commented
Parent issue: » #2620304: htaccess functions should be a service

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Related issues: +#2883823: Add an update function to install new .htaccess files in file directories when possible

We could follow up with a separate issue (after this is backported to Drupal 7) to actually run automated updates for Drupal 7 sites

This is now at the linked issue.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

pguillard’s picture

pguillard CreditAttribution: pguillard commented
Status: Needs work » Needs review
FileSize
drupal-overwrite_htaccess-2141137-24.patch1.13 KB

Patch rerolled fr 8.5.x and slightly adapted.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev
apaderno’s picture

apaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
CreditAttribution: apaderno as a volunteer commented
Issue tags: -htaccess, -Security +Security improvements

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

needs-review-queue-bot’s picture

needs-review-queue-bot CreditAttribution: needs-review-queue-bot as a volunteer commented
Status: Needs review » Needs work
FileSize
2141137-nr-bot.txt170 bytes

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

voleger’s picture

voleger
he/his
Primary language Ukrainian
Location Ukraine, Rivne
CreditAttribution: voleger as a volunteer and at GOLEMS GABB, Drupal Ukraine Community for Drupal Ukraine Community, GOLEMS GABB commented
Version: 9.5.x-dev » 7.x-dev
Issue tags: -Needs backport to D7

The composer scaffold plugin allows you to prepend or append the additions for the core .htaccess file. Also, it will enable us to replace it entirely. So it is not the issue of Drupal 10-based projects. I am moving this issue back to the 7.x queue.