One of the fixes is described as "Code execution prevention". The Drupal security team wanted to add an extra layer of protection to stop hackers from uploading malicious files.
This fix requires some people to make a manual change to their site and this tutorial will show you how.
If you go to Reports > Status Reports, you may see an error like the one below. This will only appear for people using an Apache server and with certain configurations.
The error will read like this:
The directory that gives the warning is the Temporary directory. You can find this in Configuration > File System:
"Temporary files directory Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /Applications/MAMP/tmp/php directory to help protect against arbitrary code execution."
The actual directory suggested will be different, depending on where your site is hosted.See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /Applications/MAMP/tmp/php directory to help protect against arbitrary code execution."
The directory that gives the warning is the Temporary directory. You can find this in Configuration > File System:
This directory is not always easy to find, because of this restriction for the temporary directory.
"A local file system path where temporary files will be stored. This directory should not be accessible over the web."
What this means is that you may not find the /tmp directory amongst your normal Drupal files:
"A local file system path where temporary files will be stored. This directory should not be accessible over the web."
What this means is that you may not find the /tmp directory amongst your normal Drupal files:
The /tmp directory may be at a higher level than your Drupal files. It may lie at least one level higher up, and outside of your normal web directory. In the image below, the web directory is /public_html.
Please note that if you do find the /tmp directory in a location like this, you do not have to proceed any further. The recommended fix will not be useful.
If your /tmp directory is Inside your normal Drupal site files, you can proceed.
Inside the /tmp directory, create a file called .htaccess.
Inside the /tmp directory, create a file called .htaccess.
The content of the file should look like the image below. You can find the content at https://drupal.org/SA-CORE-2013-003.
Please note that some people are reporting that this does not remove the error message. However, even if your error message doesn't disappear, you have still done the correct fix.
No comments:
Post a Comment
Thanks for your comment.