Drupal 7.24 and 6.29: tmp directory and .htaccess

Drupal 7.24 and 6.29 were released in mid-November.
Both versions contained security fixes.
One of the fixes is described as “Code execution prevention”. The Drupal security team wanted to add an extra layer of protection to stop hackers from uploading malicious files.
This fix requires some people to make a manual change to their site and this tutorial will show you how.
If you go to Reports > Status Reports, you may see an error like the one below. This will only appear for people using an Apache server and with certain configurations.

The error will read like this:
“Temporary files directory Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /Applications/MAMP/tmp/php directory to help protect against arbitrary code execution.”
The actual directory suggested will be different, depending on where your site is hosted.
The directory that gives the warning is the Temporary directory. You can find this in Configuration > File System:

This directory is not always easy to find, because of this restriction for the temporary directory.
“A local file system path where temporary files will be stored. This directory should not be accessible over the web.”
What this means is that you may not find the /tmp directory amongst your normal Drupal files:

The /tmp directory may be at a higher level than your Drupal files. It may lie at least one level higher up, and outside of your normal web directory. In the image below, the web directory is /public_html.

If your /tmp directory is Inside your normal Drupal site files, you can proceed.
Inside the /tmp directory, create a file called .htaccess.

The content of the file should look like the image below. You can find the content at https://drupal.org/SA-CORE-2013-003.

Please note that some people are reporting that this does not remove the error message. However, even if your error message doesn’t disappear, you have still done the correct fix.
Other notes:
- Mike in the comments says: “If /tmp is one directory above the web root the correct path is ../tmp That solved my error problem.”
- Achton in the comment suggests: “Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request.”
- If you’re not using Apache, “you need to configure PHP execution protection yourself in the respective server configuration files.” https://drupal.org/SA-CORE-2013-003
If /tmp is one directory above the web root, then it’s not accessible from the web and an .htaccess file there is meaningless. In such a case, this warning error is bogus and others have already posted this on d.o.
Yes, that’s a very valid point, thanks Fred
This error message has been confusing quite a lot of our members. I’ll add that point to the tutorial to help them better understand this message.
If /tmp is one directory above the web root the correct path is ../tmp
That solved my error problem.
Thanks Mike. This error message has caused more questions than anything we’ve seen in a while. I’ll add all the various fixes to the blog.
Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request.
Great, thanks Achton
Actually Drupal will create them on the next cron run so run cron after you delete them.
Thanks Steve, works perfect for me!
I replaced the content of the .htacces file in public files dir (sites/default/files) and temp files dir (C:/xampp/temp). Error messages are gone.
Great, glad that worked for you Wim
Well i did all the fixes mentioned for the “sites/default/files” and “/temp” directory but i still get an error message saying that my tmp directory (which is on the same level as all the other drupal directories) is still not fully protected. Where did i go wrong?
I got it! In Configuration -> File System there was the following path given for the temp directory: /tmp.
I changed it to tmp (without / ) and the error message was gone…..quite strange but it worked out for me!
Great, thanks for posting your solution
I finally created a tmp folder inside sites/default/files and change the path on Drupal. Drupal will create the .htaccess inside automatically.
Thanks Nikolas, that solved my problem
Hi, I created a tmp folder inside sites/default/files but i don`t know what to do rest. please help.
Thank you
You only have to reload your ‘Status Report’ page.
Thanks, that worked for me also.
Where I can find / tmp. My website is on a commercial server and can not find the folder or within my domain or the root.
As I can solve the problem.
Thanks.
It means that we should not do anything, but the sistem file error
thanks
i got it! In Configuration -> File System there was the following path given for the temp directory: /tmp.
I changed it to tmp (without / ) and the error message was gone…..quite strange but it worked out for me!
If I lose my site’s themeing when I add this .htaccess, what might be going wrong?
follow the directory, in the “Temporary files..Not Fully Protected” message, to the .htaccess file. Delete the .htaccess file and run cron. Cron will replace with the needed .htaccess required. My directory, to my .htaccess, for example public_html/sites/default/files/tmp
Best solution is to just delete the files, revisit the status page, Drupal will recreate them and the error messages are gone.