On Thu, Dec 05, 2013 23:41:25 PM +0100, augusto fagioli wrote:

your /tmp should already have a .htaccess, created by drupal itself

hey, you're right, for some reason I was sure Drupal would not do that itself. Instead it's there, see below. So, should I do something else to it?

Thanks, Marco

[root@vm log]# more /tmp/.htaccess Deny from all

# Turn off all options we don't need. Options None Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006 <Files *> # Override the handler again if we're run later in the evaluation list. SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003 </Files>

# If we know how to do it safely, disable the PHP engine entirely. <IfModule mod_php5.c> php_flag engine off </IfModule> [root@vm log]# ls -l !$ ls -l /tmp/.htaccess -r--r--r-- 1 apache apache 491 Dec 5 21:07 /tmp/.htaccess

On Thursday, December 5, 2013, M. Fioretti wrote:

Greetings,

I'm almost finished (fingers crossed) to update a website I manage to
drupal 7.24

Everything seems OK and I've already updated the .htaccess files in
sites/*/files/ as explained in

https://drupal.org/SA-CORE-2013-003

The only thing I'm not sure about is where that page says:

Additionally, the .htaccess of the temporary files directory and
private files directory (if used) should include this command:

Deny from all

my temporary files directory as shown in
/admin/config/media/file-system is /tmp (private file system path is
empty). Should I put an ..htaccess in /tmp too???

I believe not, but I'd rather have confirmation.

Thanks!
Marco


--
[ Drupal support list | http://lists.drupal.org/ ]