Why am I getting an error message in my dashboard for unprotected private files?

drupal.stackexchange https://drupal.stackexchange.com/questions/296547

  •  27-02-2021
  •  | 
  •  

Question

I have a site with Drupal 8.9

Why am I getting an error message in my dashboard for unprotected private files ?

When I go to the link it says this is for Drupal 6 and 7.

PRIVATE FILES DIRECTORY
Not fully protected
See https://www.drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the private:// directory to help protect against arbitrary code execution.

https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2013-11-20/sa-core-2013-003-drupal-core

Was it helpful?

Solution

The error, which is reported by system_requirements(), means that either that directory doesn't contain any .htaccess file, or that .htaccess file doesn't contain the following lines.

<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

Together the lines added from a previous security advisory, they avoid files in that directory can be executed.

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

Before showing that error message, Drupal tries to create the .htaccess file. (See HtaccessWriter::write().) If it's not able to create it, or write into that file, you should manually create the .htaccess file containing the following lines.

# Deny all requests from Apache 2.4+.
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>

# Deny all requests from Apache 2.0-2.2.
<IfModule !mod_authz_core.c>
  Deny from all
</IfModule>

# Turn off all options we don't need.
Options -Indexes -ExecCGI -Includes -MultiViews

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php7.c>
  php_flag engine off
</IfModule>

The same lines are shown in the error message contained in the Drupal log.

Licensed under: CC-BY-SA with attribution
Not affiliated with drupal.stackexchange
scroll top