- 🇬🇧United Kingdom catch
potential_fix.txt should be converted to an MR or patch.
Apart from the existing files htaccess protection test coverage, I don't see a way to validate this apart from manual testing, so tagging for that.
- Assigned to kentr
- 🇺🇸United States kentr Durango, CO
There's an MR for review.
A few FunctionalJavascript tests errored but passed on retry.
FWIW, access to PHP files in
sites/default/files
is currently blocked by the root.htaccess
.With this change, the Security Review overview still states that PHP files in the Drupal files directory can be executed.
However, I've confirmed manually that they are not executed: the raw PHP source is served. It looks like a case of ambiguity in the messaging. Here's the details message:
The Drupal files directory is for user-uploaded files and by default provides some protection against a malicious user executing arbitrary PHP code against your site. Read more about the risk of PHP code execution on Drupal.org.
The .htaccess file is writable which poses a risk should a malicious user find a way to execute PHP code they could alter the .htaccess file to allow further PHP code execution.
I've attached a new PHP-FPM config to reproduce this.
- 🇬🇧United Kingdom longwave UK
I thought we could extend Drupal\Tests\system\Functional\System\HtaccessTest to try and cover this case, but given that it also needs php-fpm in a specific configuration it's not going to be very easy to recreate in CI.
While this is a security hardening, we can't entirely control what people might do with Apache directives and .htaccess; as this requires modifying the root .htaccess I am tempted to say that if you are doing that then you are on your own. But on the other hand I suppose this hardening can't harm anything if we do add it?
- 🇬🇧United Kingdom longwave UK
Tagged "needs work" because this still has the "needs manual testing" tag.