Drupal 7.24 and 6.29: tmp directory and .htaccess

drupal-tmp-htaccess

Drupal 7.24 and 6.29 were released in mid-November.

Both versions contained security fixes.

One of the fixes is described as “Code execution prevention”. The Drupal security team wanted to add an extra layer of protection to stop hackers from uploading malicious files.

This fix requires some people to make a manual change to their site and this tutorial will show you how.

If you go to Reports > Status Reports, you may see an error like the one below. This will only appear for people using an Apache server and with certain configurations.

media_1385224050956.png

The error will read like this:

“Temporary files directory     Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /Applications/MAMP/tmp/php directory to help protect against arbitrary code execution.”

The actual directory suggested will be different, depending on where your site is hosted.

The directory that gives the warning is the Temporary directory. You can find this in Configuration > File System:

media_1385225488320.png

This directory is not always easy to find, because of this restriction for the temporary directory.

“A local file system path where temporary files will be stored. This directory should not be accessible over the web.”

What this means is that you may not find the /tmp directory amongst your normal Drupal files:

media_1385224084463.png

The /tmp directory may be at a higher level than your Drupal files. It may lie at least one level higher up, and outside of your normal web directory. In the image below, the web directory is /public_html.

media_1385225547928.png
Please note that if you do find the /tmp directory in a location like this, you do not have to proceed any further. The recommended fix will not be useful.

If your /tmp directory is Inside your normal Drupal site files, you can proceed.

Inside the /tmp directory, create a file called .htaccess.

media_1385226133188.png

The content of the file should look like the image below. You can find the content at https://drupal.org/SA-CORE-2013-003.

media_1385226225114.png

Please note that some people are reporting that this does not remove the error message. However, even if your error message doesn’t disappear, you have still done the correct fix.

Other notes:

  • Mike in the comments says: “If /tmp is one directory above the web root the correct path is ../tmp That solved my error problem.”
  • Achton in the comment suggests: “Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request.”
  • If you’re not using Apache, “you need to configure PHP execution protection yourself in the respective server configuration files.” https://drupal.org/SA-CORE-2013-003

Instructor

  • Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Blog Rating
Subscribe
Notify of
24 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Fred

If /tmp is one directory above the web root, then it’s not accessible from the web and an .htaccess file there is meaningless. In such a case, this warning error is bogus and others have already posted this on d.o.

steve

Yes, that’s a very valid point, thanks Fred
This error message has been confusing quite a lot of our members. I’ll add that point to the tutorial to help them better understand this message.

Mike Fuller

If /tmp is one directory above the web root the correct path is ../tmp

That solved my error problem.

steve

Thanks Mike. This error message has caused more questions than anything we’ve seen in a while. I’ll add all the various fixes to the blog.

Achton

Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request.

steve

Great, thanks Achton

Andy

Actually Drupal will create them on the next cron run so run cron after you delete them.

Wim

Thanks Steve, works perfect for me!

I replaced the content of the .htacces file in public files dir (sites/default/files) and temp files dir (C:/xampp/temp). Error messages are gone.

steve

Great, glad that worked for you Wim

M. Frehse

Well i did all the fixes mentioned for the “sites/default/files” and “/temp” directory but i still get an error message saying that my tmp directory (which is on the same level as all the other drupal directories) is still not fully protected. Where did i go wrong?

M.Frehse

I got it! In Configuration -> File System there was the following path given for the temp directory: /tmp.

I changed it to tmp (without / ) and the error message was gone…..quite strange but it worked out for me!

steve

Great, thanks for posting your solution

Nikolas

I finally created a tmp folder inside sites/default/files and change the path on Drupal. Drupal will create the .htaccess inside automatically.

Mupetz

Thanks Nikolas, that solved my problem

Bill

Hi, I created a tmp folder inside sites/default/files but i don`t know what to do rest. please help.
Thank you

Nikolas

You only have to reload your ‘Status Report’ page.

Grneyes

Thanks, that worked for me also.

Nicolás

Where I can find / tmp. My website is on a commercial server and can not find the folder or within my domain or the root.
As I can solve the problem.
Thanks.

Nicolás

It means that we should not do anything, but the sistem file error

Ruslan

thanks

avinash

i got it! In Configuration -> File System there was the following path given for the temp directory: /tmp.

I changed it to tmp (without / ) and the error message was gone…..quite strange but it worked out for me!

jen

If I lose my site’s themeing when I add this .htaccess, what might be going wrong?

miguel

follow the directory, in the “Temporary files..Not Fully Protected” message, to the .htaccess file. Delete the .htaccess file and run cron. Cron will replace with the needed .htaccess required. My directory, to my .htaccess, for example public_html/sites/default/files/tmp

ivan radisson

Best solution is to just delete the files, revisit the status page, Drupal will recreate them and the error messages are gone.

24
0
Would love your thoughts, please comment.x
()
x