SA-CORE-2013-003 - Drupal core - Multiple vulnerabilities Temporary files directory is still Not fully protected

That makes two of us. As far as I can see, both files are identical as required by the instructions...

Same here. Copied the suggested .htaccess to /tmp and added Deny from all at the end of the file. Yet I'm still reading on the status page of all of my websites:

Temporary files directory	Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /tmp directory to help protect against arbitrary code execution.

Found it!
On /admin/settings/file-system change /tmp to tmp. Just remove the slash.

Closing as a duplicate of #2141065: Incorrect warnings about insecure .htaccess file in /tmp directory from SA-CORE-2013-003; see that issue for details.

Changing "/tmp" to "tmp" in the configuration is not recommended.

O, ok. Thanks. Changing to ./tmp

Changing to "./tmp" is not recommended either (it's the same as "tmp"). Again, see the other issue for details.

Ok, I will read further. I saw so many users saying #5 worked and stopped reading...

According to #15 it worked for me:
Remove the /tmp/.htaccess file and then visit and save the configuration page.

thank you SO much Tino! this worked for me! I have been wracking my brain trying to fix this problem. ROFL! hard to imagine the fix was that simple. HAHA!

#9 did not work for me.

@Tino's posts helps me a lot, thanks!

I used the path home/username/tmp in your files configuration
I think for some reason Drupal can find the tmp above the public_html directory so you have to give the full path that anyway that is what worked for me
since the directory above the public_html can't be accessed from the internet I don't think you need to put the .htaccess file there either you can put it in sites/default/files but dont forget to put back 444 after you need to put it to 755 to upload by ftp just be sure to put it back to 444 afterwards or at least not writable

I replaced the .htaccess file in my sites/default/files directory with the suggested code. The error message went away but so did my background image and my logo. Can someone please tell me what I may have done wrong? THX!

@ David_Rothstein
You refer to the other issue and unrecommend to change to "tmp". But in the other issue first you find a bunch of people telling that they "resolved" it precisely by changing to "tmp". It is no up to #23 that Heine warns not to change.
And you say "for the details"??? The other half of the thread is people that "still" haven't been able to resolve. Then from about #38 one gets too tired and bored to still understand what the heck everybody is saying.

I don't understand you guys.... those who close issues and then refer to other issues "for more details". Don't you understand it is actually, just more confusing stuff and loss of time for the many of us, who do not have the same level of know-how like you? Why don't you just give (copy) the answer to this thread and get it done with? Or why don't you at least indicate the # of the other thread where the answer is...
But no, just a scarce: go to that other, longer thread and see if you can find anything that you can understand and else make that thread even longer...

This is what makes Drupal unsufferable. Half of the questions are simply not answered, and the other half is doing exactly this, refer you to another thread. I think of all the hours and months I have waisted on drupal issues, maybe only 5% actually served to find a an answer. Regarding this issue I found no answer here, nor in the first 40 # of the other thread.
Looking at the sometimes desperate (repeated) requests for solutions from others, it is clear there are many more suffering Drupal in the same way.

@suffering drupal, either you (or anyone else) is welcome to edit the summary/body of that issue to make things more clear (see https://drupal.org/contributor-tasks/write-issue-summary). It would definitely be helpful. But keeping two issues open won't help anyone, which is why I closed this.

The other issue was also a lot shorter and easier to understand at the time I linked to it :) In retrospect, linking directly to a comment (maybe #2141065-23: Incorrect warnings about insecure .htaccess file in /tmp directory from SA-CORE-2013-003 or #2141065-27: Incorrect warnings about insecure .htaccess file in /tmp directory from SA-CORE-2013-003) would have been more future-proof...

[Complete One-step Solution for end-users who stumble upon this page because of this ongoing problem, which existed back in D7] Example: Drupal 8.4.2 online shared webhost; and all Drupal 7 sites on same webhost

You may want to undo any other changes you have made while trying to resolve this issue.

This worked for my new Drupal 8.4.2 site at an online shared webhost, and also has worked for years with Drupal 7.

The Total One-step Solution:

Go to your Drupal 8, or Drupal 7, configuration page:

admin/config/media/file-system

Change the field 'Temporary directory' from...

/tmp

...to...

~/tmp

Click the page-bottom button "Save configuration".

Note: I have also read elsewhere on drupal.org that in addition to ~/tmp, the following may also work-- I do not think it matters what path and folder-name you use, so long as it is not the one which is currently giving you problems:

• ../tmp
• tmp
• /tmpdir
• tmpdir
• Etc.