Contrib.social

Automatic creation of .htaccess files can cause errors

Open on Drupal.org β†’
Created on 17 January 2009, over 16 years ago
Updated 13 February 2025, 3 months ago

Problem/Motivation

Drupal enforces creation of .htaccess files yet some environments don't use them and others create errors when they are present (eg. IIS + WebsitePanel).

Proposed resolution

When Apache is reported as the web server, automatically create .htaccess files. Otherwise, do not create them and warn the user about the possible implications of this. Allow users to explicitly enable or disable the automatic creation of .htaccess files using a config setting (and hence clear any warning message).

Remaining tasks

  • Determine if we should only disable .htaccess auto creation as an option for certain web server platforms (#56)
  • Determine the server platform names ($_SERVER['SERVER_SOFTWARE']) that need to be whitelisted
  • Re-roll patch so it applies to HEAD.

User interface changes

New warning message in File System section of Status Report.

API changes

New config setting.

Original report by kbahey

Check for .htaccess, and creating .htaccess should only be done for Apache

We are currently doing this check for non-Apache servers too, and it causes errors to be displayed when using IIS and other servers.

So, this patch limits this checking and .htaccess creation to Apache only.

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component

file system

Created by

πŸ‡¨πŸ‡¦Canada kbahey

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • First commit to issue fork.
  • Merge request !11204Resolve #360057 "Automatic creation of" β†’ (Open) created by smustgrave
  • Pipeline finished with Failed
    3 months ago
    Total: 150s
    #423442
  • Pipeline finished with Success
    3 months ago
    Total: 496s
    #423444
  • Comment 3 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    So this one is coming as the "One" for bugsmash so thought I'd give it a quick look.

    Took the patch in #82 and only slightly fixed up with today's checks: Constructor promotion, return types, deprecation version.

    #87 I agree and changed that to an error()

    Also tweaked the CR some but it was pretty straight forward.

    Still NW for

    The new setting needs to be added to settings.php with a comment.

  • Pipeline finished with Success
    26 days ago
    Total: 728s
    #472737
  • Comment 26 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    Rebased on 11.x and added docs to default.settings.php

  • Pipeline finished with Failed
    26 days ago
    Total: 109s
    #472746
  • Pipeline finished with Success
    26 days ago
    Total: 565s
    #472750
  • Pipeline finished with Failed
    26 days ago
    Total: 197s
    #472760
  • Pipeline finished with Success
    26 days ago
    Total: 985s
    #472762
  • Comment 26 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Settings read well to me.

    16 years and this one may be good

  • Pipeline finished with Failed
    25 days ago
    Total: 132s
    #473564
  • Status changed to Needs review 25 days ago
  • Comment 25 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    Back to NR for the feedback from @acbramley

  • Pipeline finished with Failed
    25 days ago
    Total: 106s
    #473565
  • Pipeline finished with Success
    25 days ago
    Total: 741s
    #473566
  • Comment 25 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia acbramley
  • Comment 20 days ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    I reviewed the MR and added some comments.

    I also think this still needs an issue summary update, because these parts from IS are not implemented:

    • When Apache is reported as the web server, automatically create .htaccess files. Otherwise, do not create them and warn the user about the possible implications of this
    • New warning message in File System section of Status Report.

    When manually tested this, I was unable to find the warning entry in the log (Auto-creating htaccess disabled.), as the file creation is blocked in the parent function (HtaccessWriter::ensure()), so if the auto_create_htaccess config is set to FALSE, it will never reach the code in HtaccessWriter::write(). Not sure it was the intent. Personally I think that we do not need this logging at all and it will be sufficient to create a follow-up to sort-out the errors in the status report, which are displayed if .htaccess files are missing and the auto_create_htaccess config is set to FALSE:

    Private files directory - Not fully protected
    See https://www.drupal.org/SA-CORE-2013-003 β†’ for information about the recommended .htaccess file which should be added to the private:// directory to help protect against arbitrary code execution.

    I think it does not make sense to have it as errors anymore, when you use this new switch and disable it's creation on purpose.

    Moving to NW for these.

    Thanks!

  • Pipeline finished with Failed
    18 days ago
    Total: 591s
    #478833
  • Pipeline finished with Canceled
    18 days ago
    Total: 137s
    #478838
  • Pipeline finished with Canceled
    18 days ago
    Total: 96s
    #478841
  • Comment 18 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    Addressed feedback and updated the IS.

    I think we can create a new requirements check for the config setting. However, there was some pushback (#44_) on showing warnings on a standard install, so we need to be sure this is considered.

  • Pipeline finished with Success
    18 days ago
    Total: 1056s
    #478842
  • Comment 18 days ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    However, there was some pushback (#44_) on showing warnings on a standard install, so we need to be sure this is considered.

    Yes, I was thinking more about adjusting the existing error messages, which are displayed when .htaccess files are missing, so that these have a different wording when the auto_create_htaccess config is set to FALSE, or hide these messages entirely. I agree that adding a new requirements check with another warning or so is not ideal.

  • Comment 15 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States smustgrave

    Believe feedback has been addressed here.

    If we need a follow up ping me and I’ll happily do that

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024