This bug didn't exist in 7.34, but does in 7.38. Not sure where along the way it was introduced.

<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$

This line in .htaccess used to have \.bak|\.orig|\.save)$ at the end, but now has \.bak|\.orig\.save)$. Note the missing '|'. the '|' exists in the other regular expression in the string, so I assume this isn't on purpose.

Comments

nterbogt’s picture

nterbogt commented
Issue summary: View changes
cilefen’s picture

cilefen commented
Related issues: +#1962780: 500 Internal server error on Apache 1.x servers after updating to Drupal 7.22
cilefen’s picture

cilefen commented
Version: 7.38 » 8.0.x-dev

The same condition exists in 8.0.x, so if this is really an error, it must be fixed there first.

cilefen’s picture

cilefen commented

It exists in 7.34.

cilefen’s picture

cilefen commented
Related issues: +#1907704: Restrict temporary files created by text editors

It looks like it was added in #1907704: Restrict temporary files created by text editors as-is.

cilefen’s picture

cilefen commented
Title: .htaccess error » .htaccess broken regex for \.orig and \.save
cilefen’s picture

cilefen commented

It it targeting files named *.orig.save? .orig and .save are checked earlier in the line.

fabianx’s picture

fabianx commented
Priority: Normal » Major
Issue tags: +Security improvements
cilefen’s picture

cilefen commented
Status: Needs work » Closed (duplicate)
Related issues: -#1962780: 500 Internal server error on Apache 1.x servers after updating to Drupal 7.22 +#2508666: Drupal 8 .htaccess rule to prevent php file access can be easily bypassed

#2508666: Drupal 8 .htaccess rule to prevent php file access can be easily bypassed is taking care of this so I am marking this a duplicate.