In https://www.drupal.org/SA-CORE-2013-003 as well as #1599774: Drupal fails to boot with 503 error and .htaccess protections do not work on Apache 2.4 without mod_access_compat we have made updates to the .htaccess file that Drupal generates in file directories. These updates take place automatically for new installs, but existing installations would need to make these changes manually (or at least delete the files manually and let Drupal recreate them automatically by visiting the File System configuration page) in order to get them.

We should consider writing an update function that would attempt to install the newest version of the .htaccess files automatically as long as it detects that the old version is an unmodified version of what Drupal used to install there.

There's some starter code from the private 2013 security issue that I can find and try to post here if someone is planning to work on this. Also there is some code in #2141137: The .htaccess file cannot be overwritten that may be useful.

I don't think any of this is needed for Drupal 8, since the above issues were fixed in Drupal 8 before it was released (although I'm not sure what happens if you migrate an older site to Drupal 8 and bring the old site's file directories along...)

Comments

David_Rothstein created an issue.