[development] no .htaccess perms 500 kills drupal.

Morbus Iff morbus at disobey.com
Thu Jun 8 11:58:12 UTC 2006

> Today I ran into another server that did not allow .htaccess. If it finds
> one, it dies with a 500 (I beleive this is non standard, but it might be
> used in more places, I saw it twice). A person asked for my help because

That is not correct. If the server did not allow an .htaccess file, it 
would *ignore* them. In your case, the server *is* allowing an .htaccess 
file of some kind, only the directives that Drupal ships with are 
unallowed for the user, and thus it gives a 500. If you check your 
Apache error log, you'll get the exact reasoning.

However, you may be running up against:


> We should not make .htaccess files from with Drupal, not on upgrades
> and not after installation. Or at least not in this particular situation.
> It locks people out, without a hint whats happening

Again, not entirely accurate. The only .htaccess we create in Drupal is 
in the user's configured "files" directory. The only time the 500 error 
would occur is if someone *directly* accessed a URL under the files/ 
directory. If you're seeing otherwise, then you've got a really weird 
server, and we can't cater to it without negatively impacting commons.

> recently. We now rely on this file, inside the files dir, for security,
> meaning if you remove that file, you might be less secured. We must at
> least document this.

Removing the file is irrelevant - you remove it and Drupal will recreate 
it during the next file upload. You'd have to zero-byte it instead.

Morbus Iff ( and think about the bad things that I didn't do )
Technical: http://www.oreillynet.com/pub/au/779
Culture: http://www.disobey.com/ and http://www.gamegrene.com/
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus

More information about the development mailing list