Prevent creating .htaccess files when using IIS

As mentioned in the forum post; IIS doesn't use .htaccess so there must be some other cause for this problem. Have you found the real cause of this problem yet?

- Arie

I can confirm this, .htaccess file is used by iis with helm for the iispassword filter, which is used for protected folders.

http://www.iistools.com/en/iispassword.html

the file shouldn't be created when running on iis.

@DarkWingDuck: That sounds a lot like a configuration using a third party tool that isn't really supported.
OTH I have to agree that creating .htaccess files on IIS is unnecessary and - in this case - unwanted.

So I suppose if you want to pursue this further you could look for a workaround for the short term (dare I say it ... hack core) and start creating a final solution for the long run.

I guess that final solution would be a feature request for a system setting that prevents Drupal from creating .htaccess files. If you can't get enough people to support implementing that in core you could always implement it using a contributed module.

So for the workaround: AFAICT the .htaccess files are created in /includes/file.inc on line 127

//...snip

  if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
    $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
    if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, $htaccess_lines)) {
      fclose($fp);
      chmod($directory .'/.htaccess', 0664);
    }
    else {

//snip...

You could just comment out some lines or you could change the contents to suit your setup (helm)
Please note that you should not do this on *nix systems as that would compromise the security of the system

Please post back how that works out for you.

- Arie

Thanks for the info and your time Arie,

That was what I was going to do at first, but putting an empty .htaccess file into the directory removed the need to touch the core.

An option in the settings was the first thing I was going to tell about, but this can be made even easier and simpler by adding an expression like "&& !$is_iis", removing the need for an additional setting.

I know IIS is not supported unless a new branch supports it but as you'll agree, no need to make it incompatible while a fix is so easy. You know, Helm is more than a 3rd party application, it's a typical configuration on a big number of shared hostings (though iis itself is not supported anyway).

I don't really know the structure of drupal.org team and community. Can't we ourselves make implementations in the core? Or is there a core team who only can make changes in the core? Just in case I have some time for it.

Thanks again,
Onur

You're absolutely right, using an empty .htaccess is the better choice. Hadn't thought of that :-)

Just adding the is_iis would be nice but there are two problems with that:

• this variable is not available in Drupal; AFAICT it's a Wordpress specific variable
• as mentioned here http://ifacethoughts.net/2006/06/26/is_iis/ the detection can be sabotaged by hosts that do not (properly) transmit the SERVER_SOFTWARE variable

So detecting the web server flavor would be nice and could be used to prefill the setting. But I think it would also need a manual override setting.

As for changes to core;all new features are developed in HEAD (at the moment Drupal 7.x)
You can write a patch and attach that to this issue. Next you set the issue to patch (code needs review) The patch should then be reviewed by the community and once the people looking at it are satisfied it looks OK the issue is set to patch (reviewed & tested by the community)
Finally the branch maintainer will have the final say whether or not the patch is applied.
Once a patch is applied to HEAD it can be back ported to an earlier version (like 6.9) The process is then repeated (although usually a lot faster) and then the branch maintainer if the 6.x branch will decide whether or not to apply the patch to the 6.x branch.
At that point you will be able to say you contributed code to software that is used by thousands of people all over the world :-D

See here http://drupal.org/patch for a more detailed description of the process.

It may look like a lot but once you've rolled one patch the next will be a breeze ;-)

Let me know what you think.

- Arie

Thank you Arie, this was very informative. Btw no, it doesn't look a lot, it's an expectable workflow in a teamwork.

You're right about an option to override "is_iis". Strange, didn't know some servers do that. Actually I didn't know wordpress had such a variable, I just used it as a pseudo code, symbolizing a global variable or a function existed or to be added =)

Thanks,
Onur

Since the problem was resolved I'm setting this to fixed.

Feel free to reopen if you think that is wrong.

- Arie

I had the exact same problem as the original poster but making the .htaccess file blank did not solve it for me. Files were uploaded but couldn't view them in a browser. IIS and NTFS permissions were properly set on IIS 6 Win 2003 latest Drupal. I also commented out the .htaccess section as suggested above and although the .htaccess is no longer being written when files are uploaded, still couldn't view files in a browser.

The answer was setting authentication in IIS to NTLM instead of Anonymous user access. Now all is well.

Hi,

I had a similar issue--the .htaccess file doesn't allow ImageCache to work. (I'm using Isapi_rewrite 3.0 on IIS--we have some legacy asp applications thus the windows server--ayy!)

I'm a bit stuck in that the following is happening:

(1) deleting the .htaccess file allows everything to work

(2) commenting out the files.inc code as in #6 above stops that file from writing the .htaccess

BUT
(3) the .htaccess file is still being written and I'm not sure from where.

For testing, I tried the following

(1) allowed files.inc to write the .htaccess file but added an additional line: "#from files.inc"--this line then appeared if the .htaccess file was deleted/re-created

(2) commented out the 'files.inc' code which writes the .htaccess. Deleted .htaccess. An .htaccess was created with the original content, no "#from files inc" but I'm not sure where it's being created from. (I flushed caches, restarted IIS, etc.)

I would appreciate any help!

I ended up adding "RewriteEngine off" to my .htaccess file--and not touching the core.

Still not sure how the .htaccess file was being rewritten after files.inc was commented out . . .

Thanks #16 Timothy.sea and all others. I am using a host that will not give me that much IIS permission, plus .htaccess files were never going to be supported with my configurations, so this was a brilliant solution for my Drupal 6.19 install.

Just create a folder named ".htaccess" where drupal will create the ".htaccess" file (sites/default/files/)

Actually, the lines those are to be commented are in the file of field_file.inc in the "filefield" module and also in the includes/file.inc file.
So, I've done the following in both of those files:

if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
    /* $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
     if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, $htaccess_lines)) {
       fclose($fp);
       chmod($directory .'/.htaccess', 0664);
     }
     else {
       $repl = array('%directory' => $directory, '!htaccess' => nl2br(check_plain($htaccess_lines)));
       form_set_error($form_item, t("Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines:!htaccess", $repl));
       watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines:!htaccess", $repl, WATCHDOG_ERROR);
     }*/
  }

hi dears. because using .htaccess file in IIS server are not useful and i did not find other way to prevent drupal to crate .htaccess file i forced to open includes/file.inc and find all .htaccess tags and I disable all block who contain .htaccess by inserting /* in first and */ at end of block .
its pertly works.
because of changing file.inc bye etch release of drupal i don't show the code how i changed.

Hi
I had the same problem with Drupal 7
do the folowing steps, easy solution
1. Find (file.inc) in root of drupal site.
2. Edit it with notepad
3.Search for (file_put_contents )
4.You may find these:

// Write the .htaccess file.
  if (file_put_contents($htaccess_path, $htaccess_lines)) {
    drupal_chmod($htaccess_path, 0444);
  }
  else {
    $variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(check_plain($htaccess_lines)));
    watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess

", $variables, WATCHDOG_ERROR);
}
}

5.Just make comment by putting /* */ like following:

// Write the .htaccess file.
  /*if (file_put_contents($htaccess_path, $htaccess_lines)) {
    drupal_chmod($htaccess_path, 0444);
  }
  else {
    $variables = array('%directory' => $directory, '!htaccess' => '<br />' . nl2br(check_plain($htaccess_lines)));
    watchdog('security', "Security warning: Couldn't write .htaccess file. Please create a .htaccess file in your %directory directory which contains the following lines: <code>!htaccess

", $variables, WATCHDOG_ERROR);
}*/
}

6.Save the file.
7.Have Fun.