Some rules in the .htaccess seem outdated.

FilesMatch pattern to protect files and directories form direct access needs to be updated. For instance tpl(\.php)? makes no sense in Drupal 8+.

Configuration for PHP 5 is no longer needed as Drupal does not support PHP 5 since version 8.7.

Overall the current configuration seems too complex and likely can be optimized. The number of rules in the .htaccess may affect server performance a great deal. That's because the file is parsed on each http request including requests for static files.

We may consider moving rules that specific to some directory into a separate .htaccess file located under that directory. For instance there is a large set of rules for serving gzip compressed CSS and JS files.

CommentFileSizeAuthor
#22 3124724-nr-bot.txt144 bytesneeds-review-queue-bot
#14 interdiff_10-14.txt340 bytesvsujeetkumar
#14 3124724_14.patch1.64 KBvsujeetkumar
#10 interdiff_8-10.txt868 bytessuresh prabhu parkala
#10 3124724-10.patch1.84 KBsuresh prabhu parkala
#8 3124724-8.patch2.3 KBadityasingh
#4 interdiff_2-4.txt1.88 KBneslee canil pinto
#4 3124724-4.patch2.98 KBneslee canil pinto
#2 3124724-2.patch1.63 KBneslee canil pinto

Comments

Chi created an issue. See original summary.

neslee canil pinto’s picture

neslee canil pinto
he/him
Primary language English
commented
Status: Active » Needs review
StatusFileSize
new 3124724-2.patch1.63 KB

Status: Needs review » Needs work

The last submitted patch, 2: 3124724-2.patch, failed testing. View results

neslee canil pinto’s picture

neslee canil pinto
he/him
Primary language English
commented
Status: Needs work » Needs review
StatusFileSize
new 3124724-4.patch2.98 KB
new interdiff_2-4.txt1.88 KB

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

init90’s picture

init90
Location Ukraine
commented
Status: Needs review » Needs work
Issue tags: +Needs reroll

Needs update after #2455465: Add mod_php7 check to htaccess and remove php5 code

adityasingh’s picture

adityasingh commented

working on reroll

adityasingh’s picture

adityasingh commented
Status: Needs work » Needs review
StatusFileSize
new 3124724-8.patch2.3 KB

Reroll for 9.1

init90’s picture

init90
Location Ukraine
commented
Status: Needs review » Needs work 
+++ b/.htaccess
@@ -27,11 +27,6 @@ AddEncoding gzip svgz
-# PHP 7, Apache 1 and 2.
-<IfModule mod_php7.c>
-  php_value assert.active                   0
-</IfModule>

This part is needed and shouldn't be removed.

suresh prabhu parkala’s picture

suresh prabhu parkala commented
Status: Needs work » Needs review
StatusFileSize
new 3124724-10.patch1.84 KB
new interdiff_8-10.txt868 bytes

Please review!

Status: Needs review » Needs work

The last submitted patch, 10: 3124724-10.patch, failed testing. View results

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented

The issue summary says

For instance tpl(\.php)? makes no sense in Drupal 8+.

I think if we are going to revise the list of blocked file extensions then we should consider all of them. For example at first glance "xtmpl" appears in the list - I believe this refers to the XTemplate templating system, which was deprecated in Drupal 4.7! I think it is worth someone listing out all the extensions included in this list, determining what they are used for, and then deciding whether they still should be included.

Also, there is a near-identical regex in web.config, which is used on IIS. This regex should be updated to match.

longwave’s picture

longwave
he/him
Primary language English
Location UK
commented
Title: Revise .htaccess file » Revise list of blocked file extensions in .htaccess

Better title.

vsujeetkumar’s picture

vsujeetkumar commented
Status: Needs work » Needs review
StatusFileSize
new 3124724_14.patch1.64 KB
new interdiff_10-14.txt340 bytes

Fixing test.

init90’s picture

init90
Location Ukraine
commented
Related issues: +#3004242: Reconcile "Protect files and directories from prying eyes" patterns in .htaccess and web.config
tvb’s picture

tvb commented
Issue tags: -Needs reroll

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

needs-review-queue-bot’s picture

needs-review-queue-bot commented
Status: Needs review » Needs work
StatusFileSize
new 3124724-nr-bot.txt144 bytes

The Needs Review Queue Bot tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

Consult the Drupal Contributor Guide to find step-by-step guides for working with issues.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.