diff options
Diffstat (limited to 'includes/file.inc')
-rw-r--r-- | includes/file.inc | 55 |
1 files changed, 45 insertions, 10 deletions
diff --git a/includes/file.inc b/includes/file.inc index 3ca88e7f3..0ec69b701 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -470,8 +470,11 @@ function file_ensure_htaccess() { * @param $private * FALSE indicates that $directory should be an open and public directory. * The default is TRUE which indicates a private and protected directory. + * @param $force_overwrite + * Set to TRUE to attempt to overwrite the existing .htaccess file if one is + * already present. Defaults to FALSE. */ -function file_create_htaccess($directory, $private = TRUE) { +function file_create_htaccess($directory, $private = TRUE, $force_overwrite = FALSE) { if (file_uri_scheme($directory)) { $directory = file_stream_wrapper_uri_normalize($directory); } @@ -480,19 +483,12 @@ function file_create_htaccess($directory, $private = TRUE) { } $htaccess_path = $directory . '/.htaccess'; - if (file_exists($htaccess_path)) { + if (file_exists($htaccess_path) && !$force_overwrite) { // Short circuit if the .htaccess file already exists. return; } - if ($private) { - // Private .htaccess file. - $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nDeny from all\nOptions None\nOptions +FollowSymLinks"; - } - else { - // Public .htaccess file. - $htaccess_lines = "SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006\nOptions None\nOptions +FollowSymLinks"; - } + $htaccess_lines = file_htaccess_lines($private); // Write the .htaccess file. if (file_put_contents($htaccess_path, $htaccess_lines)) { @@ -505,6 +501,45 @@ function file_create_htaccess($directory, $private = TRUE) { } /** + * Returns the standard .htaccess lines that Drupal writes to file directories. + * + * @param $private + * (Optional) Set to FALSE to return the .htaccess lines for an open and + * public directory. The default is TRUE, which returns the .htaccess lines + * for a private and protected directory. + * + * @return + * A string representing the desired contents of the .htaccess file. + * + * @see file_create_htaccess() + */ +function file_htaccess_lines($private = TRUE) { + $lines = <<<EOF +# Turn off all options we don't need. +Options None +Options +FollowSymLinks + +# Set the catch-all handler to prevent scripts from being executed. +SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 +<Files *> + # Override the handler again if we're run later in the evaluation list. + SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 +</Files> + +# If we know how to do it safely, disable the PHP engine entirely. +<IfModule mod_php5.c> + php_flag engine off +</IfModule> +EOF; + + if ($private) { + $lines = "Deny from all\n\n" . $lines; + } + + return $lines; +} + +/** * Loads file objects from the database. * * @param $fids |