diff options
| author | David Rothstein <drothstein@gmail.com> | 2012-12-08 15:45:32 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2012-12-08 15:45:32 -0500 |
| commit | ee22e043bf64dd0c4f2dd09a4edd7959a931c101 (patch) | |
| tree | ab79e1ea639b94844d630879f40bfb7cf2bc9777 | |
| parent | e8d0d122983335532debb94132552540eb3443ce (diff) | |
| download | brdo-ee22e043bf64dd0c4f2dd09a4edd7959a931c101.tar.gz brdo-ee22e043bf64dd0c4f2dd09a4edd7959a931c101.tar.bz2 | |
Issue #1733476 by greggles, BMDan: Fixed Make default htaccess rules protocol sensitive to avoid man-in-the-middle-attacks if users don't fully customize the rule.
| -rw-r--r-- | .htaccess | 12 | ||||
| -rw-r--r-- | CHANGELOG.txt | 3 |
2 files changed, 13 insertions, 2 deletions
@@ -56,6 +56,13 @@ DirectoryIndex index.php index.html index.htm <IfModule mod_rewrite.c> RewriteEngine on + # Set "protossl" to "s" if we were accessed via https://. This is used later + # if you enable "www." stripping or enforcement, in order to ensure that + # you don't bounce between http and https. + RewriteRule ^ - [E=protossl] + RewriteCond %{HTTPS} on + RewriteRule ^ - [E=protossl:s] + # Block access to "hidden" directories whose names begin with a period. This # includes directories used by version control systems such as Subversion or # Git to store control files. Files whose names begin with a period, as well @@ -78,14 +85,15 @@ DirectoryIndex index.php index.html index.htm # To redirect all users to access the site WITH the 'www.' prefix, # (http://example.com/... will be redirected to http://www.example.com/...) # uncomment the following: + # RewriteCond %{HTTP_HOST} . # RewriteCond %{HTTP_HOST} !^www\. [NC] - # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] + # RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # # To redirect all users to access the site WITHOUT the 'www.' prefix, # (http://www.example.com/... will be redirected to http://example.com/...) # uncomment the following: # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] - # RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301] + # RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301] # Modify the RewriteBase if you are using Drupal in a subdirectory or in a # VirtualDocumentRoot and the rewrite rules are not working properly. diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 2ecf54806..6b2c303db 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -1,6 +1,9 @@ Drupal 7.18, xxxx-xx-xx (development version) ----------------------- +- Made the default .htaccess rules protocol sensitive to improve security for + sites which use HTTPS and redirect between "www" and non-"www" versions of + the page. Drupal 7.17, 2012-11-07 ----------------------- |