Drupal 7.24 and 6.29: tmp directory and .htaccess

drupal-tmp-htaccess

Drupal 7.24 and 6.29 were released in mid-November.

Both versions contained security fixes.

One of the fixes is described as “Code execution prevention”. The Drupal security team wanted to add an extra layer of protection to stop hackers from uploading malicious files.

This fix requires some people to make a manual change to their site and this tutorial will show you how.

If you go to Reports > Status Reports, you may see an error like the one below. This will only appear for people using an Apache server and with certain configurations.

media_1385224050956.png

The error will read like this:

“Temporary files directory     Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /Applications/MAMP/tmp/php directory to help protect against arbitrary code execution.”

The actual directory suggested will be different, depending on where your site is hosted.

The directory that gives the warning is the Temporary directory. You can find this in Configuration > File System:

media_1385225488320.png

This directory is not always easy to find, because of this restriction for the temporary directory.

“A local file system path where temporary files will be stored. This directory should not be accessible over the web.”

What this means is that you may not find the /tmp directory amongst your normal Drupal files:

media_1385224084463.png

The /tmp directory may be at a higher level than your Drupal files. It may lie at least one level higher up, and outside of your normal web directory. In the image below, the web directory is /public_html.

media_1385225547928.png
Please note that if you do find the /tmp directory in a location like this, you do not have to proceed any further. The recommended fix will not be useful.

If your /tmp directory is Inside your normal Drupal site files, you can proceed.

Inside the /tmp directory, create a file called .htaccess.

media_1385226133188.png

The content of the file should look like the image below. You can find the content at https://drupal.org/SA-CORE-2013-003.

media_1385226225114.png

Please note that some people are reporting that this does not remove the error message. However, even if your error message doesn’t disappear, you have still done the correct fix.

Other notes:

  • Mike in the comments says: “If /tmp is one directory above the web root the correct path is ../tmp That solved my error problem.”
  • Achton in the comment suggests: “Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request.”
  • If you’re not using Apache, “you need to configure PHP execution protection yourself in the respective server configuration files.” https://drupal.org/SA-CORE-2013-003

Author

  • Steve Burge

    Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.

0 0 votes
Article Rating
Subscribe
Notify of
24 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Fred
Fred
10 years ago

If /tmp is one directory above the web root, then it’s not accessible from the web and an .htaccess file there is meaningless. In such a case, this warning error is bogus and others have already posted this on d.o.

steve
steve
10 years ago
Reply to  Fred

Yes, that’s a very valid point, thanks Fred
This error message has been confusing quite a lot of our members. I’ll add that point to the tutorial to help them better understand this message.

Mike Fuller
Mike Fuller
10 years ago

If /tmp is one directory above the web root the correct path is ../tmp

That solved my error problem.

steve
steve
10 years ago
Reply to  Mike Fuller

Thanks Mike. This error message has caused more questions than anything we’ve seen in a while. I’ll add all the various fixes to the blog.

Achton
Achton
10 years ago

Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request.

steve
steve
10 years ago
Reply to  Achton

Great, thanks Achton

Andy
Andy
10 years ago
Reply to  Achton

Actually Drupal will create them on the next cron run so run cron after you delete them.

Wim
Wim
10 years ago

Thanks Steve, works perfect for me!

I replaced the content of the .htacces file in public files dir (sites/default/files) and temp files dir (C:/xampp/temp). Error messages are gone.

steve
steve
10 years ago
Reply to  Wim

Great, glad that worked for you Wim

M. Frehse
M. Frehse
10 years ago

Well i did all the fixes mentioned for the “sites/default/files” and “/temp” directory but i still get an error message saying that my tmp directory (which is on the same level as all the other drupal directories) is still not fully protected. Where did i go wrong?

M.Frehse
M.Frehse
10 years ago
Reply to  M. Frehse

I got it! In Configuration -> File System there was the following path given for the temp directory: /tmp.

I changed it to tmp (without / ) and the error message was gone…..quite strange but it worked out for me!

steve
steve
10 years ago
Reply to  M.Frehse

Great, thanks for posting your solution

Nikolas
Nikolas
10 years ago

I finally created a tmp folder inside sites/default/files and change the path on Drupal. Drupal will create the .htaccess inside automatically.

Mupetz
Mupetz
10 years ago
Reply to  Nikolas

Thanks Nikolas, that solved my problem

Bill
Bill
10 years ago
Reply to  Nikolas

Hi, I created a tmp folder inside sites/default/files but i don`t know what to do rest. please help.
Thank you

Nikolas
Nikolas
10 years ago
Reply to  Bill

You only have to reload your ‘Status Report’ page.

Grneyes
Grneyes
6 years ago
Reply to  Nikolas

Thanks, that worked for me also.

Nicolás
Nicolás
10 years ago

Where I can find / tmp. My website is on a commercial server and can not find the folder or within my domain or the root.
As I can solve the problem.
Thanks.

Nicolás
Nicolás
10 years ago
Reply to  Nicolás

It means that we should not do anything, but the sistem file error

Ruslan
Ruslan
9 years ago

thanks

avinash
9 years ago

i got it! In Configuration -> File System there was the following path given for the temp directory: /tmp.

I changed it to tmp (without / ) and the error message was gone…..quite strange but it worked out for me!

jen
jen
9 years ago

If I lose my site’s themeing when I add this .htaccess, what might be going wrong?

miguel
miguel
8 years ago

follow the directory, in the “Temporary files..Not Fully Protected” message, to the .htaccess file. Delete the .htaccess file and run cron. Cron will replace with the needed .htaccess required. My directory, to my .htaccess, for example public_html/sites/default/files/tmp

ivan radisson
ivan radisson
7 years ago

Best solution is to just delete the files, revisit the status page, Drupal will recreate them and the error messages are gone.

24
0
Would love your thoughts, please comment.x
()
x