September 26, 2012 - Comments Off on Drupal 8: .htaccess file goodies

Drupal 8: .htaccess file goodies

Drupal 7 has been out in the wild for a little over a year now. It brought a myriad (sic, can you sic your own material?) of new features; Entities, more hooks, CCK in core... to name but a few. With Drupal 8's full release still in the distance, it will be interesting to see how it will compare with the current release. One change we noted is a potential update to the core .htaccess file, which acts as the concierge and first line of defense against malicious and accidental breeches.

The .htaccess file serves primarily to direct incoming traffic to your Drupal site by passing the request headers to index.php, which calls the appropriate data retrieval and rendering functions. In this manner, .htaccess passes a request for http://www.example.com/?q=user  to index.php which then displays the user login page if you are not already logged in. All requests to the website should be passed to index.php and only index.php. If for some reason, a malicious script made its way onto your server either intentionally or by a compromised user machine, it could be executed simply by pointing a browser at it.

This is where .htaccess steps in. In the new Drupal 8 iteration, even if a site were compromised and a script file was accidentally uploaded, the new rules will prevent them from being executed. Bear in mind that the current Drupal 7 .htaccess file already does a good job of protecting sites; this update is just an extra set of rules to help catch those pesky one-off gremlins.

If you take a peek at your .htaccess file you will also find the rules that allow you to force your website domain to add or drop the 'www' prefix. This is handy for SEO to prevent your site from showing confusing results for content located at www.example.com and example.com.

The .htaccess file is a gatekeeper, but like the inebriated porter in MacBeth, if too much crazyness goes on it can be fooled. Remember to keep your Drupal core up to date with the latest security fixes as well as all those custom and contributed modules. Check for file uploading, eval()s, stray .PHP files etc.

For the security conscious, you don't have to wait for D8 to add the new .htaccess rules, you can see the current patch here. You can try running the patch, or just copy and paste the 2 new lines of rules. The rules tell the webserver to only execute .php files found in your site's webroot folder, or in the /core directory. This should not impact your site negatively as normally only index.php should ever be served directly.

Here is the new rule. You can see that it checks for the the file being called, and if it is a .php file not in the webroot or /core directory, Apache will kick it to the curb with a big fat [F] code.

RewriteCond %{REQUEST_URI} !^/core/[^/]*.php$
RewriteRule "^.+/.*.php$" - [F]

Good luck, and happy Drupaling!

Published by: chazcheadle in The Programming Mechanism
Tags:

Comments are closed.