In security a common (and good) approach is to deny all access to a resource and specify what can access it specifically. Often this is done the other way around; allowing access to everything and specifyng what is not allowed.

As described in http://drupal.org/node/93843 I am suggesting to change the following in .htaccess:

# Protect files and directories from prying eyes.
<FilesMatch "...">
  Order deny,allow
  Deny from all
</FilesMatch>

to

# Protect files and directories from prying eyes.
<FilesMatch "...">
  Order allow,deny
</FilesMatch>

Because the latter is the correct implementation of "Default = Deny, Allow what is set" and is thus technically 'more correct'.

Files: 
CommentFileSizeAuthor
htaccess_10.patch452 bytesJax

Comments

Morbus Iff’s picture

You know, I was thinking about this again this morning, and I think our /existing/ implementation is /more secure/ than this suggested patch. Consider a badly configured Apache that has document roots set for "Allow from all" - this would override this suggested patch, and give everyone access to our FilesMatch. Likewise, there's no "Allow from none" we can put in here to stop that from happening. With that consideration said, I think it's safer to remain with what we have, even though it is a default whitelisting, then a global blacklist.

Morbus Iff’s picture

I think we should probably patch a comment into the .htaccess with the reason why we're doing this "wrong", quote unquote - to protect from upstream bad configurations (like the "Allow from all" I just mentioned).

Jax’s picture

Actually it seems an Order statement voids all previous Allow/Deny statements.

olivier@tornado:~/public_html/tmp/down$ ls -al
total 9
-rw-r--r--    1 olivier  tech           17 Nov 10 16:25 .htaccess
-rw-r--r--    1 olivier  tech            6 Nov 10 16:25 index.php
olivier@tornado:~/public_html/tmp/down$ ls -al ..
total 731
-rw-r--r--    1 olivier  tech           32 Nov 10 16:26 .htaccess
drwxr-xr-x    2 olivier  tech          112 Nov 10 16:26 down/
olivier@tornado:~/public_html/tmp/down$ cat .htaccess
Order Allow,Deny
olivier@tornado:~/public_html/tmp/down$ cat ../.htaccess
Order Deny,Allow
Allow From All

When I go to the index.php file in down it gives a forbidden. I'll start looking for documentation about this.

Jax’s picture

Actually the section you quoted in the forum topic is relevant here. If the "Allow from" statements were not voided from a new Order you should contact apache2.org to update their documentation to include your warning.

Morbus Iff’s picture

I'd want you to test a few more scenarios:

1) Make /.htaccess "Order Allow,Deny\nAllow from all"
2) Make /.htaccess simply "Allow from all".
3) Make [Directory /path/to/your/down/directory]\nOrder Allow,Deny\nAllow from all[/Directory] in your httpd.conf

Jax’s picture

With

# cat /.htaccess
Order Allow,Deny
Allow from All

# cat .htaccess
<FilesMatch "\.php">
  Order Allow,Deny
</FilesMatch>

I get a forbidden on the index.php

With:

# cat /.htaccess
Allow from All

I still get a forbidden.

With:

<Directory /home/*/public_html>
    AllowOverride All
    Order Allow,Deny
    Allow From All
</Directory>

(I restarted the webserver after the modification) and no /.htaccess It still gives forbidden.

Morbus Iff’s picture

Can you modify the third, the one in httpd.conf, to point /directly/ to your /down/ directory, as I demo'd?

Jax’s picture

With:

<Directory /home/olivier/public_html/tmp/down>
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

And no .htaccess in "/home/olivier/public_html/tmp/down" I can get to the index.php but when I activate the .htaccess in down:

<FilesMatch "\.php">
  Order Allow,Deny
</FilesMatch>

I get a forbidden as intended.

Morbus Iff’s picture

In which case, I'm fine with the patch, though could care little if it actually gets in. To some degree, even though the other one is "wrong" in the sense of blacklisting/whitelisting, I feel it's also more obvious at an initial glance (the "Deny from all", being explicit, is telling, compared to just "Order allow,deny", which innocently seems to suggest we allow everything first).

drumm’s picture

Status: Needs review » Fixed

Committed to HEAD.

Anonymous’s picture

Status: Fixed » Closed (fixed)
Senpai’s picture

Version: 5.0-beta1 » 5.1
Status: Closed (fixed) » Reviewed & tested by the community

Just a quick follow-up to ask if one of you would roll that .htaccess "innocent comment" into HEAD. You know, the one that says, "The 'Order allow,deny' blocks access to all the files listed, even though it appears at first glance to leave the barn door open."

I was upgrading sites from 4.7.6 to 5.1 today, and, while comparing my old htaccess to the new one, noticed this change and became alarmed. A little tiny note, even half as long as what I've written above, would soothe some nerves among those who don't use a stock htaccess file and thus can't simply replace their old one with your new version.

"Order allow,deny is the correct way of keeping intruders away from precious files." There. that'd do it.
--
Senpai

drumm’s picture

Status: Reviewed & tested by the community » Active

No patch is attached. And we don't need to patronize people with '"precious" files'.

Rainy Day’s picture

There’s an explanation of this issue in the Apache documentation, which may be useful for anyone who noticed the change and was wondering about the security implications. Synopsis: This change is more secure.

zeta ζ’s picture

Should this be closed?

marcingy’s picture

Status: Active » Closed (fixed)