Problem/Motivation
Private files "Not fully protected" is misleading when the directory does not exist. Steps to reproduce are in comment #5.
Proposed resolution
Add a specific error message when the directory does not exist.
Remaining tasks
User interface changes
API changes
Data model changes
Original Report
After creating a private files directory, and making it writable by the web server, and choosing "private local files" in the File system settings, I get this error in the status report...
Not fully protected
See https://www.drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the directory to help protect against arbitrary code execution.
I am using Drupal 8, but this error links to a document that is specific to Drupal 6 and 7. For the heck of it, I tried following the instructions for Drupal 7, but it didn't work.
Do I need an .htaccess in my private files directory, in Drupal 8? If so, what should I put in that .htaccess?
Comments
Comment #2
dureaghin CreditAttribution: dureaghin commentedTry this, go to your Drupal 8, configuration page:
admin/config/media/file-system
Change the field 'Temporary directory' from...
/tmp
...to...
~/tmp
Click the page-bottom button "Save configuration".
Comment #3
dureaghin CreditAttribution: dureaghin commentedComment #4
VM CreditAttribution: VM commentednot sure changing the ~tmp folder will matter I didn't try that. but I did find that visiting the file system page and saving it, generated the .htaccess file I needed in the private file system folder above the root. As an aside, I believe the Drupal generated .htaccess file in the /tmp/ folder can be copied and utilized in the private file system folder. I should have compared the files before replacing but at this point, replacement hasn't changed functionality.
I think the confusion that may be at play here is that the private file system path is set in settings.php. Pre-D8 the path was set on the file system page forcing a save of the page. This assumes that the actual generation of the .htaccess was due to saving the page and not some other unknown at moment.
Comment #5
arnoldbird CreditAttribution: arnoldbird commentedHate to say it, but my initial mistake was that I specified a non-existent path in my settings file. I then got further off course in part because the status warning (at admin/reports/status) is inaccurate* and links to a documentation page that is intended for Drupal 6 and 7. I guess at that point I lost some confidence in the framework and started to think there must be a bug. When really the initial problem was that I specified a bad path.
VM is correct that Drupal 8 writes the .htaccess file for you in the private directory when you submit the form at admin/config/media/file-system -- provided of course that you have specified a good path in the settings file. Drupal does not create the private directory for you (at least not in my case), but does create the .htaccess within that private directory.
I can also confirm that the .htaccess Drupal creates in the private directory is the same as the one Drupal creates in the tmp directory.
* The status warning says "Not fully protected". But really the directory just wasn't there, in my case. This can easily be reproduced by moving your private directory to another location...
sudo mv private private-DISABLE
If you run that command, then visit the status page, you will see the "Not fully protected" error that links to Drupal 6/7 documentation.
Comment #6
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedComment #7
cilefen CreditAttribution: cilefen at Institute for Advanced Study commentedComment #10
jshimota01 CreditAttribution: jshimota01 commentedmy reading of this - the OP talked about 'Private files' ... then the discussion segued to the TMP directory - a different problem actually.
In d 8.8.5 I have the same error for my Private Files - and indeed it links to useless information about the d7. Sure, some of that information is related but the solution specific for d8 is not documented or given. I've just tried deleting the .htaccess and got the error, editing the .htaccess to have the textual content documented on the d7 page, and still got the error.
I'm about to explore if my reference to the location is somehow bad or broken but it's quite frustrating.
Comment #11
glbr CreditAttribution: glbr as a volunteer commentedDrupal 8.8.x seems to have deprecated some old code for writing the .htaccess file. Saving the file system configuration no longer seems to write the .htaccess file in the private files folder. At least it didn't for me.
Searching the code a bit, I found core/lib/Drupal/Component/FileSecurity/FileSecurity.php containing code to assemble a .htaccess file with an option for the private folders version. The file it assembles for the private files folder is:
Clear caches after you put that in place. Got rid of the error message for me.
This is an old issue that has been renamed to flag only the lack of useful information when the private folder doesn't exist. #10 and this are about lack of clarity for what D8 wants and, in my case, whether or not the .htaccess file should be generated when the file system configuration is saved (like used to happen). A .htaccess file was generated inside a config/sync folder I created so they are sometimes created.
Someone who understands the design intent better than I do may want to create a new issue. The solution seems to be a) clean up the documentation, b) properly generate the .htaccess file for the private files folder, or both.
Comment #12
Wolf_22 CreditAttribution: Wolf_22 as a volunteer commentedI just ran into this for the private files folder path when setting up a new install. For whatever it's worth, glbr's instructions and code appears to have fixed it for me after a clearing of the cache. My status page indicates that all is well now.
Comment #13
h.paul CreditAttribution: h.paul as a volunteer commentedWith a new install in Drupal 8.8 glbr's code worked well for me, too.
Comment #15
gwanjama CreditAttribution: gwanjama as a volunteer commentedFor Drupal 8.9, first, create the private folder (mine is at the same level as the web folder) and ensure the folder permissions are set to 0777. Next, configure the
$settings['file_private_path']
in your settings.php. Mine is configured to$settings['file_private_path'] = $app_root . '/../private';
. Finally, clear drupal caches...drupal will generate the appropriate .htaccess file in the folder you specified in$settings['file_private_path']
Comment #16
dithomas CreditAttribution: dithomas commentedFor Drupal 8.9 #11 also worked for me. I ve set
$settings['file_private_path']
= '../private' and used #15 permissionsComment #17
apadernoDrupal 8.9.x is in security support only.
Comment #19
Slim Ch CreditAttribution: Slim Ch as a volunteer commentedfor Drupal 9 #15 works fine ! thanks
Comment #20
apadernoComment #21
larowlanSo by the sound of it this is either a documentation issue, or that the form (or status report) doesn't provide adequate feedback as to what is wrong.
Can someone confirm and update the issue summary to use the template to confirm what is needed here.
Comment #22
larowlanAlso #2906490: "TEMPORARY/PUBLIC/PRIVATE FILES DIRECTORY" security error provides useless guidance has a patch (albeit for temporary stream wrapper) that could equally apply to private files.
Does anyone have an objection to closing this and working over there?
Comment #23
larowlanLooking at #2906490: "TEMPORARY/PUBLIC/PRIVATE FILES DIRECTORY" security error provides useless guidance it does indeed improve the documentation and status message for all three of public, private and temporary.
So closing this as a duplicate.
Comment #24
bigmonmulgrew CreditAttribution: bigmonmulgrew commentedCommenting to add to this that you should not be setting 0777 in most cases, this gives anyone read, write and execute. Its also more permissions than are needed.
Permissions should be set to 0770 at most, Setting folder ownership to www-data and acces to 0700 should be sufficient.
Once you have done that clear cache and run cron and it should be created.