From be6b7b0f1dcbb861115a385b07f8c814a2b40a1a Mon Sep 17 00:00:00 2001
From: Gerhard Killesreiter <killes_www_drop_org@227.no-reply.drupal.org>
Date: Thu, 25 May 2006 01:33:53 +0000
Subject: prevent execution of scripts from files directory

---
 includes/file.inc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'includes/file.inc')

diff --git a/includes/file.inc b/includes/file.inc
index 51012e45f..802df5656 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -112,6 +112,18 @@ function file_check_directory(&$directory, $mode = 0, $form_item = NULL) {
     }
   }
 
+  if ((file_directory_path() == $directory || file_directory_temp() == $directory) && !is_file("$directory/.htaccess")) {
+    if (($fp = fopen("$directory/.htaccess", 'w')) && fputs($fp, 'SetHandler This_is_a_Drupal_security_line_do_not_remove')) {
+      fclose($fp);
+    }
+    else {
+      $message = t("Security warning: Couldn't write .htaccess. Please create a .htaccess file in your %directory directory which contains the following line: <code>SetHandler This_is_a_Drupal_security_line_do_not_remove</code>", array('%directory' => $directory));
+      form_set_error($form_item, $message);
+      watchdog('file system', $message, WATCHDOG_ERROR);
+    }
+  }
+
+
   return true;
 }
 
-- 
cgit v1.2.3