"TEMPORARY/PUBLIC/PRIVATE FILES DIRECTORY" security error provides useless guidance

Created on 4 September 2017, almost 7 years ago
Updated 25 August 2023, 10 months ago

On a fresh install of 8.3.7 running on Dreamhost shared hosting, I get a warning at /admin/reports/status advising of this:

TEMPORARY FILES DIRECTORY
Not fully protected
See https://www.drupal.org/SA-CORE-2013-003 β†’ for information about the recommended .htaccess file which should be added to the /tmp directory to help protect against arbitrary code execution.

Problems:

  • The linked site is for Drupal 6 and 7. It does not provide obvious guidance for Drupal 9 and 10 users.
  • I assume we should use the .htaccess file recommended for Drupal 7. It appears I have to copy code from two separate parts of the page to get the recommended .htaccess file.
  • The warning doesn't tell me where the temp directory even is. Had I seen that, I would have immediately noticed it's using the shared /tmp for the whole server.

Expectation: warning messages link to useful pages. Unlike the page actually linked, useful pages provide clear guidance and "don't make me think" solutions. Also, the warning message here should advise me where the temp directory actual is. Don't make me hunt across the configuration to find this.

I'm filing this as a bug because I am confident that this isn't in line with Drupal's commitment to good UX.

Proposed solution

  1. Create an updated documentation page on Drupal.org that explain how to fix this problem in plain language: ( done β†’ ).
  2. Replace the stream wrapper temporary:// with the actual file system path. Done.
  3. Replace the link to the SA with a link to this documentation page in the warning displayed in the status report. Done.

Remaining tasks

  1. Reroll patch in #23 for Drupal 11.
  2. Address points raised in #27.
  3. Review the revised patch.
  4. After it reaches RTBC, commit to the next release.

User interface changes

Users experiencing this will see a text with a link to more helpful guidance than the present one.

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
File systemΒ  β†’

Last updated about 10 hours ago

Created by

πŸ‡ΊπŸ‡ΈUnited States Aren Cambre

Live updates comments and jobs are added and updated live.
  • Documentation

    Primarily changes documentation, not code. For Drupal core issues, select the Documentation component instead of using this tag. In general, component selection is preferred over tag selection.

  • Usability

    Makes Drupal easier to use. Preferred over UX, D7UX, etc.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡©πŸ‡ͺGermany diqidoq Berlin | Hamburg | New York | London | Paris

    Testing on D 9.5.7. ....

    1. Error message leads to the wrong docs and finding this issue is a question of luck. (found it by checkin gif it already exist and needs to be created and then finding a link in another issue leading to here).
    2. After reading thrue the issue it creates the impression the correct doc link is this: https://www.drupal.org/docs/installing-drupal/some-directory-not-fully-p... β†’
    3. This docs state that removing a possible outdated .htaccess file will make Drupal to recreate it after entering the file management settings page in admin area. This is partly true and only happens if you run cron.
    4. The .htaccess file created by Drupal after that will cause the same error message again.

    Comparing the created .htaccess file with others shows following difference:

    git diff --git a/private-files/.htaccess b/web/sites/default/files/.htaccess
    index d436879..e7f06ca 100644
    --- a/private-files/.htaccess
    +++ b/web/sites/default/files/.htaccess
    @@ -1,13 +1,3 @@
    -# Deny all requests from Apache 2.4+.
    -<IfModule mod_authz_core.c>
    -  Require all denied
    -</IfModule>
    -
    -# Deny all requests from Apache 2.0-2.2.
    -<IfModule !mod_authz_core.c>
    -  Deny from all
    -</IfModule>
    -
     # Turn off all options we don't need.
     Options -Indexes -ExecCGI -Includes -MultiViews
    
    @@ -19,9 +9,9 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
     </Files>
    
     # If we know how to do it safely, disable the PHP engine entirely.
    -<IfModule mod_php7.c>
    +<IfModule mod_php5.c>
       php_flag engine off
     </IfModule>
    -<IfModule mod_php.c>
    +<IfModule mod_php7.c>
       php_flag engine off
     </IfModule>
    \ No newline at end of file
    

    Which propably needs another issue since this here is only regarding the error message.

  • πŸ‡©πŸ‡ͺGermany diqidoq Berlin | Hamburg | New York | London | Paris

    Since this is a security warning I partly agree on the issue status since this issue let users run in circles with no avail. I strongly recommend to add a temporary section to the docs linked to in the warning leading to here. The warning level in the admin reports is high so it isn't just a "notification".

  • Status changed to Needs review 10 months ago
  • πŸ‡³πŸ‡΄Norway gisle Norway

    In comment #29, diqidoq objects:

    This doc page states that removing a possible outdated .htaccess file will make Drupal to recreate it after entering the file management settings page in admin area. This is partly true and only happens if you run cron.

    This is not my experience.

    If the directory in question is writeable by the web server.
    The required and correct .htaccess is automatically created when one visits the file system configuration page.

    This is really bad UX folks. Please see " support forum post β†’ for a recent example.

    Setting it back to "Needs review". If you really think it "Needs work, please list remaining tasks in the issue summary.

  • πŸ‡ΊπŸ‡ΈUnited States cilefen

    A core committer commented with desired changes in #27 yet I don't see any patches since that, nor comments addressing those points.

  • last update 10 months ago
    Patch Failed to Apply
  • πŸ‡³πŸ‡΄Norway gisle Norway

    Updated issue summary with current status.

  • Status changed to Needs work 10 months ago
  • πŸ‡ΊπŸ‡ΈUnited States smustgrave

    #33 mentioned the changes that should be addressed

  • πŸ‡³πŸ‡΄Norway gisle Norway

    #33 doesn't mention any changes, it just refererences #27. As for #27, it mentions three changes, summarized below:

    1. we've got a weird additional indent here
    2. let's just inline @doc into the translation string so the additional context is there for translators
    3. can we use the directory from the loop instead of ::getTempDirectory for %directory?

    I've no idea what is meant by the first one, so I am unable to address this.

    However, items #2 and #3 look sensible.

    Anyway, we've moved from Drupal 9 to Drupal 11, and patch in #23 no longer applies.

Production build 0.69.0 2024