Bug 427720 - .htaccess file from drupal project missing
.htaccess file from drupal project missing
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: drupal (Show other bugs)
8
All Linux
low Severity high
: ---
: ---
Assigned To: Gwyn Ciesla
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-06 22:17 EST by Féliciano Matias
Modified: 2008-01-11 17:15 EST (History)
1 user (show)

See Also:
Fixed In Version: 5.6-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-11 17:15:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Féliciano Matias 2008-01-06 22:17:16 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10

Description of problem:
The project drupal provide a .htaccess to improve security.
This file is not packaged.

If the file is provided, i suggest to add in /etc/httpd/conf.d/drupal.conf :
<Directory /usr/share/drupal/>
AllowOverride All
....
</Directory>


Version-Release number of selected component (if applicable):
drupal-5.5-1.fc8

How reproducible:
Always


Steps to Reproduce:
$ rpm -q -l drupal | grep htaccess
=> empty. No .htaccess

Actual Results:


Expected Results:


Additional info:
Comment 1 Gwyn Ciesla 2008-01-07 14:40:53 EST
Good catch.  Testing now. . .
Comment 2 Lubomir Kundrak 2008-01-08 09:44:32 EST
Does the lack of htaccess file actually compromise the security in any way, or
just removes a hardening layer?
Comment 3 Gwyn Ciesla 2008-01-08 09:51:54 EST
Hardening layer, AFAIK.  Should I reclassify as bugfix?
Comment 4 Féliciano Matias 2008-01-09 09:28:49 EST
Related :
https://bugzilla.redhat.com/show_bug.cgi?id=427151

Drupal does not work with SeLinux enabled.
After playing a little with drupal, I am not very happy/confidente with this
package.
In a couple of weeks, perhaps I will have the time to check again Drupal package
and correct some flaw.
Comment 5 Féliciano Matias 2008-01-09 09:37:29 EST
ReOpen.
It's a bug !

Part of .htaccess actualy ignored :
# Protect files and directories from prying eyes.
<FilesMatch
"\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$">
  Order allow,deny
</FilesMatch>



Or do you thing Drupal has build a useless .htaccess ?

With this file, it's easier to get "clean url" :
http://drupal.org/node/15365
It's a "click job" (tested with drupal 6.0-dev).


If you close again the bug, I will not reopen it.
Comment 6 Gwyn Ciesla 2008-01-09 09:40:46 EST
I did not close it.  

I have builds ready to push in bodhi to fix this.  Just waiting on LKundrak's
response to #3.
Comment 7 Gwyn Ciesla 2008-01-11 07:47:16 EST
Removed bodhi requests, submitted new for new builds for 5.6, multiple upstream
security fixes, as well as this fix.
Comment 8 Fedora Update System 2008-01-11 17:15:06 EST
drupal-5.6-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.