- πΈπ°Slovakia poker10
Drupal 7 is now EOL. Moving back to Drupal 8 as Fixed, so that credits are assigned correctly. Thanks everyone!
Automatically closed - issue fixed for 2 weeks with no activity.
Drupal uses the front controller pattern, meaning that all requests are handled by one entry point. This is index.php and some others like update.php or install.php. For a standard Drupal installation it therefore makes no sense to allow the direct execution of PHP files in subfolders. Quite the opposite: it poses a security risk especially to files directories where uploaded files could get executed (although files with the PHP extension should never get there in the first place). It can also have strange effects if there are custom developed *.php files (in most cases the log will be cluttered with PHP fatal errors because they don't work without Drupal). In Drupal 8 we are introducing even more files with the *.php extension (mostly containing classes for the autoloader), and we surely don't want to execute them on their own.
Add a rule to .htaccess to forbid execution of PHP files in subfolders.
Discussion and Feedback.
None.
None.
Fixed
8.0 β°οΈ
base system
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Drupal 7 is now EOL. Moving back to Drupal 8 as Fixed, so that credits are assigned correctly. Thanks everyone!
Automatically closed - issue fixed for 2 weeks with no activity.