Hi I have just upgraded Drupal core module and am having some problems:
Note: The question is at the bottom
I am getting this message in my status report:
Temporary files directory Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /tmp directory to help protect against arbitrary code execution.
So I follow the link and I get the code below to add to my .htaccess file (which I had to create) for my /tmp directory
# Turn off all options we don't need.
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
# If we know how to do it safely, disable the PHP engine entirely.
php_flag engine off
Then I get this addition instruction:
Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:
Deny from all
The question is this:
Where exactly do I put the ‘Deny from all’ command in the code above? I have tried placing it at the top and at the bottom of the code above and I still get the same status report message.
Thanks
Comments
Deny directive
My .htaccess in my sites/default/files/private, in the first site I've updated to 7.24, looks like this:
This works for me (the Symlinks needs to be the way it is because of my hosting provider's configuration).
Does this not work for you?
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
Sam, I just tried your
Sam, I just tried your suggestion and it didn't work.
Note: I don't have a 'private' folder.
When I updated Drupal to 7.24 I was instructed to update my .htaccess in sites/default/files. So I did that using their recommended code and it worked fine (in that one I didn't put the 'Deny for all' command).
But I was also instructed to update my .htaccess file in /tmp. As I have a /tmp folder but didn't have an .htaccess file I created one.
So I am still confused about what I am doing wrong.
/tmp
The .htaccess in my /tmp looks like this:
Not sure what the difference signifies, but I'm not getting any complaints in my Status Report. Also I'm thinking the Directory options set for Files may not be relevant here, but it ain't broke and I'm not gonna fix it.
============================
Resonetrics: Better Tools for Building Brands
http://resonetrics.com
http://technologyformarketers.com
http://kittenassociates.org
http://www.linkedin.com/in/sammooreatresonetrics
Sam, I tried your code and
Sam, I tried your code and still no go, so I went back to what I had, which is this:
This is what Drupal instructions suggest I do (I am not sure about where exactly the 'Deny from all' should go though).
When I created the .httaccess file for the /tmp folder I copied it from my 'sites/default/files' one and placed in in the /tmp folder, so I am wondering if did something wrong there possibly--I don't know.
=-=
http://www.ostraining.com/blog/drupal/drupal-724-tmp-directory/?utm_sour...
Thanks, VM. I have changed
Thanks, VM. I have changed the position of the 'Deny from all' command and still the error in my status report exists; however, the instructions you gave me says I have done it correctly, so I will leave it at that--annoying though.
Thanks
temp work
Are you by any chance setting your private files to "/tmp" in configuration > Media > File System?
If so try changing it to just "tmp" or just try and create a brand new temporary directory, "tempnew".
Hope this helps.
A list of some of the Drupal sites I have designed and/or developed can be viewed at motioncity.com
I am not sure exactly what
I am not sure exactly what you mean, but when I go to Configuration>Media>File System I see this:
Public file system path has this: sites/default/files (I have an .htaccess file in there and it's okay)
Private file system path has nothing in it (I don't have private files)
Temporary directory has this: /tmp
Now if I change '/tmp' to 'tmp' can I change it back again? I don't want to ruin anything.
hmm not sure
It didn't affect my site. But I didn't have files in there.
A list of some of the Drupal sites I have designed and/or developed can be viewed at motioncity.com
=-=
re: temp work
++ worked for me. Thanks.
Error fixed, from info contained in URL
Hi
I also have had the same problem.
There is some notes in the above URL that similar errors have been experienced by other D7 (?) users.
It suggests that they are false errors??
I tried modifying my /tmp directory to ../tmp, as suggested in one of the posts in that URL.
It appears to have fixed the problem (no more errors in the Status report).
NB: I am assuming that Drupal can actually see the /tmp directory now for all of its functions that this directory is needed.
HTH
Andy
--
=-=
confirmed. Based on your post I too changed my tmp path in the file system to ../tmp and drupal wrote a .htaccess file to that location and the notification is no longer being displayed
Can I change to ../tmp
Can I change to ../tmp without using SFTP or SSH as suggested below by Drupal? In other words, can I just go to configeration>media>file system and change it without using SFTP or SSH as I have already done the files manually? I really don't want to stuff anything up.
"Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page (admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7) and click the save button to have Drupal create the file automatically."
=-=
yes. assuming you've removed any .htaccess you've placed in the tmp folder
Thanks VM and others, I did
Thanks VM and others, I did the ../tmp thing and it works now.
same problem
Hi I had the same problem with temp and changed it to ../tmp in configuration and it worked
but I also have the same message in private files directory and public files directory
is there a place in configuration to change these also?
Thanks
Ken
=-=
you configure those paths in the same place as the tmp folder.
It's likely that there are already old .htaccess file contained in those folders. you should remove them and replace per: http://drupal.org/SA-CORE-2013-003
however, i don't see why you should be getting that warning for the public folder.
so do I
So do I replace
sites/default/files/private/
with
../sites/default/files/private/
is that going to work?
=-=
no. you shouldn't have to change those paths merely correct the issue with the .htaccess files already contained within them. More information contained within SA page linked above at the bottom.
you could also try removing the old .htaccess file form the private folder and saving the file system config form in hopes of having a new file written.
ok
this is whats in .htaccess now
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks
so should I just add this to the end of it?
Deny from all
# Turn off all options we don't need.
Deny from all
Options None
Options +FollowSymLinks
# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
# If we know how to do it safely, disable the PHP engine entirely.
php_flag engine off
=-=
no.
Read what you already have. Read what you are adding. Notice the duplication?
remove the old. replace, in total, the new.
Ok but
OK but the file is not giving me permission do you know whats the preference setting and should i change it back after?
ok got it
thanks worked great
one more question?
do you know where the public files folder is?
=-=
also set in the same screen. Based on your private path the public path is sites/all/files
if you are replacing the .htaccess file in that directory be careful. It's a public directory and as I stated before I can't see why its complaining.
I'd back up the existing .htaccess file already in the folder. I'd then delete the file from the server and save the file system config form in drupal again to ensure the correct .htaccess is written to the folder in question.
fantastic
all clear now thanks for your help
[Complete Solution] Example: Drupal 8.4.2 online shared webhost
You may want to undo any other changes you have made while trying to resolve this issue.
This worked for Drupal 8.4.2 online shared webhost.
This also has worked for years with Drupal 7.
The Total One-step Solution:
Go to your Drupal 8, or Drupal 7, configuration page:
admin/config/media/file-system
Change the field 'Temporary directory' from...
/tmp...to...
~/tmpClick the page-bottom button "Save configuration".
Note: I have also read elsewhere on drupal.org that in addition to
~/tmp, these also may work:../tmptmp/tmpdirtmpdirAll the best; intended.
-Chris (great-grandpa.com)
___
"The number one stated objective for Drupal is improving usability." ~Dries Buytaert *