Bug 427720

Summary: .htaccess file from drupal project missing
Product: [Fedora] Fedora Reporter: Féliciano Matias <feliciano.matias>
Component: drupalAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 8CC: k.georgiou
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.6-1.fc8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-11 22:15:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Féliciano Matias 2008-01-07 03:17:16 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10

Description of problem:
The project drupal provide a .htaccess to improve security.
This file is not packaged.

If the file is provided, i suggest to add in /etc/httpd/conf.d/drupal.conf :
<Directory /usr/share/drupal/>
AllowOverride All
....
</Directory>


Version-Release number of selected component (if applicable):
drupal-5.5-1.fc8

How reproducible:
Always


Steps to Reproduce:
$ rpm -q -l drupal | grep htaccess
=> empty. No .htaccess

Actual Results:


Expected Results:


Additional info:

Comment 1 Gwyn Ciesla 2008-01-07 19:40:53 UTC
Good catch.  Testing now. . .

Comment 2 Lubomir Kundrak 2008-01-08 14:44:32 UTC
Does the lack of htaccess file actually compromise the security in any way, or
just removes a hardening layer?

Comment 3 Gwyn Ciesla 2008-01-08 14:51:54 UTC
Hardening layer, AFAIK.  Should I reclassify as bugfix?

Comment 4 Féliciano Matias 2008-01-09 14:28:49 UTC
Related :
https://bugzilla.redhat.com/show_bug.cgi?id=427151

Drupal does not work with SeLinux enabled.
After playing a little with drupal, I am not very happy/confidente with this
package.
In a couple of weeks, perhaps I will have the time to check again Drupal package
and correct some flaw.

Comment 5 Féliciano Matias 2008-01-09 14:37:29 UTC
ReOpen.
It's a bug !

Part of .htaccess actualy ignored :
# Protect files and directories from prying eyes.
<FilesMatch
"\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
  Order allow,deny
</FilesMatch>



Or do you thing Drupal has build a useless .htaccess ?

With this file, it's easier to get "clean url" :
http://drupal.org/node/15365
It's a "click job" (tested with drupal 6.0-dev).


If you close again the bug, I will not reopen it.

Comment 6 Gwyn Ciesla 2008-01-09 14:40:46 UTC
I did not close it.  

I have builds ready to push in bodhi to fix this.  Just waiting on LKundrak's
response to #3.

Comment 7 Gwyn Ciesla 2008-01-11 12:47:16 UTC
Removed bodhi requests, submitted new for new builds for 5.6, multiple upstream
security fixes, as well as this fix.

Comment 8 Fedora Update System 2008-01-11 22:15:06 UTC
drupal-5.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.