- 🇬🇧United Kingdom catch
potential_fix.txt should be converted to an MR or patch.
Apart from the existing files htaccess protection test coverage, I don't see a way to validate this apart from manual testing, so tagging for that.
The Code execution prevention (in Files directory .htaccess) will not function if the PHP handler is set inside an Apache If directive.
Tested on Drupal version 7.69. Believed to also affect 8.x.
You can see this vulnerability by:
1. Configure Apache to handle PHP using the attached configuration for PHP-FPM. (Note that the If "-f %{REQUEST_FILENAME}" configuration is recommended by https://cwiki.apache.org/confluence/display/HTTPD/PHP-FPM#PHP-FPM-Proxyv... )
2. Install Security Review module and run Security review checklist.
3. Security Review Executable PHP in files directory test will show that execution of PHP files in the files directory is allowed.
This happens because the Apache If directive is merged after the Files * directive in files/.htaccess.
A potential fix is to add an If directive to files/.htaccess. For example see attached potential_fix.txt.
Active
9.5
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.
The change/bugfix cannot be fully demonstrated by automated testing, and thus requires manual testing in a variety of environments.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
potential_fix.txt should be converted to an MR or patch.
Apart from the existing files htaccess protection test coverage, I don't see a way to validate this apart from manual testing, so tagging for that.