Problem

  1. Directly after installing Drupal, uid 1 is greeted with an error message pointing to the Status report page, which says:

    Temporary files directory

    Not fully protected

    See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the C:\Windows\Temp directory to help protect against arbitrary code execution.

CommentFileSizeAuthor
#2 drupal8.htaccess-save.2.patch2.02 KBsun

Comments

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented
Issue tags: +Needs backport to 7.x

Yeah same story on Linux, when outside docroot. After release was about 50% of traffic on security mailing list.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Active » Needs review
Related issues: +#2107287: PHP 5.4 calls a new stream_metadata() method on stream wrappers not implemented by Drupal
StatusFileSize
new drupal8.htaccess-save.2.patch2.02 KB

Humm... The current code does not appear to work at all.

The .htaccess file in my public files directory was created in January 2014, but still contains

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks

$ stat sites/default/files/.htaccess
  File: `sites/default/files/.htaccess'
...
Access: 2014-01-13 23:26:06.662023600 +0100
Modify: 2014-01-13 23:26:06.662023600 +0100
Change: 2014-01-13 23:26:06.663023600 +0100
 Birth: 2014-01-13 23:26:06.662023600 +0100

Attached patch fixes at least the requirements error for the .htaccess file in the temporary files directory.

The problem is caused by Drupal itself:

  1. If Drupal uses the OS temp directory
  2. and Drupal has been installed at least once on the machine
  3. then file_save_htaccess() has already performed:
    chmod('temporary://.htaccess', 0444)
  4. and Drupal's subsequent attempt to (re)write the file fails, because it does not have write access.
sun’s picture

sun
Primary language German
Location Karlsruhe
commented

I actually believe we need to rethink the .htaccess file futzing entirely.

Instead of the $force_overwrite flag, we should add a comment like this to each .htaccess file that is created by Drupal:

# DRUPAL-OVERWRITE-ME
# Remove the line above and this comment to prevent Drupal from overwriting
# this file in case you customized it manually. When doing so, you have to
# update this file manually in the future.
larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

The issue with Linux if you're using the os temp Dir is that Drupal has no business adding .htaccess files to directories outside the web root, there isn't a way for those to be executed from the browser via a URL like there is for the files directory

Status: Needs review » Needs work

The last submitted patch, 2: drupal8.htaccess-save.2.patch, failed testing.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented

re #4: The same applies for Windows, too... — I don't have access to the discussion of the security issue.

I wonder whether there were/are any particular reasons for writing an .htaccess file to scheme file directory paths that are outside of the web root?

Wouldn't the following be sufficient?

if (strstr(drupal_realpath('temporary://'), DRUPAL_ROOT)) {
  file_save_htaccess('temporary://');
}

(same for private://)

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

Added you to the security thread, it's a long read.
I think that might suffice but didn't cover when Drupal is installed in a sub directory and the temp path is directly above it. But there are heaps of other configurations as well where the temp path might be outside Drupal but still accessible but again nearly all of those would surely be bad server config

jhedstrom’s picture

jhedstrom
Primary language English
Location Portland, OR
commented
Issue tags: - +Needs issue summary update

Would the fix suggested in #6 be sufficient here?

OnkelTem’s picture

OnkelTem commented

Same issues here on D8 RC2.
I wonder why `.htaccess`was not created at installation by default?

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

David_Rothstein’s picture

David_Rothstein commented
Related issues: +#2141065: Incorrect warnings about insecure .htaccess file in /tmp directory from SA-CORE-2013-003

Linking to a related issue, although not necessarily the same thing.

christopher james francis rodgers’s picture

christopher james francis rodgers commented

[Accidental double-posting. See next comment. ~Chris]

christopher james francis rodgers’s picture

christopher james francis rodgers commented

[Complete One-step Solution for newbies who stumble upon this page because of this ongoing problem, which existed back in D7]

You may want to undo any other changes you have made while trying to resolve this issue.

This worked for my new Drupal 8.4.2 site at an online shared webhost, and also has worked for years with Drupal 7.

The Total One-step Solution:

Go to your Drupal 8, or Drupal 7, configuration page:

admin/config/media/file-system

Change the field 'Temporary directory' from...

/tmp

...to...

~/tmp

Click the page-bottom button "Save configuration".

Note: I have also read elsewhere on drupal.org that in addition to ~/tmp, the following may also work-- I do not think it matters what path and folder-name you use, so long as it is not the one which is currently giving you problems:

  • ../tmp
  • tmp
  • /tmpdir
  • tmpdir
  • Etc.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

luke.stewart’s picture

luke.stewart commented
Status: Needs work » Closed (duplicate)

It's been a while since this was touched but a quick check of the relevant code suggests nothing much has probably changed.

In the interim a new issue has been lodged and there is some activity there. Given this I think we can close this issue as a duplicate as while it is older there is more in train over on #2906490

luke.stewart’s picture

luke.stewart commented
Related issues: +#2906490: Link to useful information about .htaccess and directory protection