Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 UTC on 18 March 2024, to get $100 off your ticket.
By mcdruid on
Change record status:
Published (View all published change records)
Project:
Introduced in branch:
7.x
Introduced in version:
7.68
Issue links:
Description:
As a precautionary security hardening, access to web.config is blocked in .htaccess (and vice-versa).
This means a change was introduced in both files:
.htaccess
# Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.
+<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\..save)$">
web.config
<rule name="Protect files and directories from prying eyes" stopProcessing="true">
- <match url="\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$" />
+ <match url="\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|\.htaccess)$" />
Any customisations made to these files on existing sites will have to be carefully re-applied after these updates.
Impacts:
Site builders, administrators, editors
Comments
Change is slightly different
For me, the change to the .htaccess file looks more like:
This article needs to be updated
Indeed, the .htaccess changes from above are incorrect. This article needs to be updated. The required changes are correct within a drupal 7.68 htaccess file.
IT'S GOOD TO BE HERE » Blog
NGINX
And if I have NGINX, what changes should I make to its configuration?