Contrib.social

file_ensure_htaccess() expects config staging directory to be writable

Open on Drupal.org β†’
Created on 18 August 2016, over 8 years ago
Updated 19 April 2024, 12 months ago

Problem/Motivation

Over at #2466197: Staging directory should not have to be writeable. β†’ requirements were updated so that the config staging directory isn't required to be writable, but file_ensure_htaccess() still expects it to be writable if the staging directory is configured: 

  // If a staging directory exists then it should contain a .htaccess file.
  // @todo https://www.drupal.org/node/2696103 catch a more specific exception
  //   and simplify this code.
  try {
    $staging = config_get_config_directory(CONFIG_SYNC_DIRECTORY);
  }
  catch (\Exception $e) {
    $staging = FALSE;
  }
  if ($staging) {
    // Note that we log an error here if we can't write the .htaccess file. This
    // can occur if the staging directory is read-only. If it is then it is the
    // user's responsibility to create the .htaccess file.
    file_save_htaccess($staging, TRUE);
  }

This causes a flood of security errors in the log since this is called for every single file write operation within a request, sometimes multiple times per request: https://www.drupal.org/files/issues/2016-08-18%20at%201.42%20PM.png β†’

Proposed resolution

  • Check if the staging directory is writable before attempting to write .htaccess file
  • Add a setting (possible for tmp and private files as well) that indicates that the staging directory is outside the webfoot and doesn't need .htaccess (also useful for non-Apache users)
  • Make sure that file_ensure_htaccess() is only run once per request?

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component
ConfigurationΒ  β†’

Last updated about 1 hour ago

Created by

πŸ‡ΊπŸ‡ΈUnited States mikey_p Dayton, OH

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 12 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    It has been 8 years since there was discussion here. Is this problem still relevant? I found that file_ensure_htaccess() is replaces by \Drupal\Core\File\HtaccessWriter::ensure

    Since we need more information to move forward with this issue, I am setting the status to Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

    Thanks!

  • Status changed to Closed: cannot reproduce 3 months ago
  • Comment 3 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand luke.stewart
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024