From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.10) Gecko/20071213 Fedora/2.0.0.10-3.fc8 Firefox/2.0.0.10 Description of problem: The project drupal provide a .htaccess to improve security. This file is not packaged. If the file is provided, i suggest to add in /etc/httpd/conf.d/drupal.conf : <Directory /usr/share/drupal/> AllowOverride All .... </Directory> Version-Release number of selected component (if applicable): drupal-5.5-1.fc8 How reproducible: Always Steps to Reproduce: $ rpm -q -l drupal | grep htaccess => empty. No .htaccess Actual Results: Expected Results: Additional info:
Good catch. Testing now. . .
Does the lack of htaccess file actually compromise the security in any way, or just removes a hardening layer?
Hardening layer, AFAIK. Should I reclassify as bugfix?
Related : https://bugzilla.redhat.com/show_bug.cgi?id=427151 Drupal does not work with SeLinux enabled. After playing a little with drupal, I am not very happy/confidente with this package. In a couple of weeks, perhaps I will have the time to check again Drupal package and correct some flaw.
ReOpen. It's a bug ! Part of .htaccess actualy ignored : # Protect files and directories from prying eyes. <FilesMatch "\.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$"> Order allow,deny </FilesMatch> Or do you thing Drupal has build a useless .htaccess ? With this file, it's easier to get "clean url" : http://drupal.org/node/15365 It's a "click job" (tested with drupal 6.0-dev). If you close again the bug, I will not reopen it.
I did not close it. I have builds ready to push in bodhi to fix this. Just waiting on LKundrak's response to #3.
Removed bodhi requests, submitted new for new builds for 5.6, multiple upstream security fixes, as well as this fix.
drupal-5.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.