Submitted by joachimb on Tue, 06/11/2013 - 14:32
Hi,
Apparently, the drupal install script creates a correct drupal installation, but some of the functionalities don't work because of the FollowSymLinks setting in the .htaccess files drupal creates.
Can't you fix it, so that the .htaccess files drupal creates are changed to use SymLinksIfOwnerMatch instead of FollowSymLinks, to comply with the virtualmin security settings?
As far as I know, it won't break drupal installations (didn't break anything for my installations), but leaving this in will create issues with newly created drupal installations.
Thanks for looking into it!
Status:
Closed (fixed)
Comments
Submitted by andreychek on Tue, 06/11/2013 - 14:39 Comment #1
Howdy -- the htaccess files that come with Drupal should actually be changed to use SymLinksIfOwnerMatch rather than FollowSymlinks, after performing an installation using the Install Script.
Which htaccess file(s) are you seeing that are using FollowSymlinks? It's possible that something managed to get overlooked. Thanks!
Submitted by joachimb on Tue, 06/11/2013 - 15:03 Comment #2
Hi,
So you're saying that you already changed this setting in the .htaccess in the install script?
I had a complaint of a client that some pictures weren't showing in their drupal install. After looking into it, the .htaccess file that was located in sites/default/files in the drupal install was the cause of this problem.
I just reinstalled a drupal with the install script, followed the install wizard, and apparently, there is no .htaccess in the sites/default/files directory when creating a clean install...
Created some content - still no .htaccess file
Have no clue how it got there - just assumed it was the install script - but apparently not :-)
Thanks anyway!
Submitted by andreychek on Tue, 06/11/2013 - 15:05 Comment #3
Yup, Virtualmin should fix the .htaccess files in Drupal so that they use SymLinksIfOwnerMatch.
If you ever find that not to be the case, let us know and we'd be happy to look into that.
Submitted by joachimb on Wed, 10/16/2013 - 15:20 Comment #4
Hello,
I'm coming back on this issue. There is indeed something wrong with the drupal install. There is a default .htaccess in the root install, but when you upload files, drupal creates a .htaccess in folder sites/default/files/
It is in this file where there still is a FollowSymLinks
Maybe it's best that you could create the folder already when installing drupal, adding the following default .htaccess
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006Options None
Options +SymlinksIfOwnerMatch
Submitted by andreychek on Wed, 10/16/2013 - 15:31 Comment #5
Jamie, it sounds like there are some .htaccess files Drupal creates on the fly -- they don't exist on a default install.
While we could pre-generate them, another solution would be to make a code tweak to the Drupal code that generates these, so that is properly uses the
SymlinksIfOwnerMatchoption.The option appears to be in
includes/file.inc, on line 490 and 494... it looks like this:if ($private) {// Private .htaccess file.
$htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +FollowSymLinks";
}
else {
// Public .htaccess file.
$htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks";
}
What do you think about just doing a substitution on that file, changing
FollowSymLinkstoSymlinksIfOwnerMatch?Submitted by joachimb on Wed, 10/16/2013 - 16:59 Comment #6
I think that would be a more elegant solution. I noticed the issue on the mentioned location, but I'm not sure it's the only location where it can occur...
Submitted by JamieCameron on Wed, 10/16/2013 - 17:16 Comment #7
Thanks for pointing this out - I'll fix the Virtualmin installer of Drupal in the next release to change that code.
Submitted by Issues on Wed, 10/30/2013 - 19:51 Comment #8
Automatically closed -- issue fixed for 2 weeks with no activity.