Prevent users from uploading .htaccess files

Created on 17 June 2025, 11 days ago

This issue was discussed by the Drupal Security Team, and their decision was that this can be solved in a public issue.

Problem/Motivation

This is a hardening follow-up to address cases where a cross-site content hijacking exploit could grant an attacker the ability to change allowed file types for upload. In order to mitigate damage, @davidstrauss recommends hard-forbidding uploading of .htaccess.

I'm not sure if we can set AllowOverride in our own .htaccess to restrict/disallow use of deeper ones, but that would also be good.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

Background information

security.drupal.org private issue: https://security.drupal.org/node/162004
(included for reference. Please do not report access denied as an error.)

📌 Task

Status

Active

Version

11.0 🔥

Component

file system

Created by

🇺🇸United States akalata

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Comments & Activities

Issue created by @akalata
Comment 11 days ago →
🇺🇸United States akalata
Comment 9 days ago →
🇺🇸United States greggles Denver, Colorado, USA
It seems like this might be fixed by 📌 Always rename dot files like Drupal 7 Needs work .

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024