Skip to content
This repository was archived by the owner on Jan 13, 2026. It is now read-only.

Commit cbf6230

Browse files
committed
Issue #10: Treat .htaccess files in content folders as code
So do not allow webserver so modify them. See https://www.drupal.org/project/security_review/issues/3550828 This script allows owner user to modify .htaccess files, like any other code file, because the owner used should be the deploy user, not the webserver. A new helper function has been added to deal with .htaccess that is called inside the content permission fixed function.
1 parent eb12afc commit cbf6230

1 file changed

Lines changed: 44 additions & 4 deletions

File tree

drupal_fix_permissions.sh

Lines changed: 44 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -228,21 +228,21 @@ function fix_code_permission_helper() {
228228
function fix_content_permission_helper() {
229229
case $simulate in
230230
0)
231-
# Real action.
232-
find "$1" -type $2 ! -perm $3 -print0 | xargs -r -0 -L20 chmod $3
231+
# Real action. Exclude .htaccess files as they should be treated as code.
232+
find "$1" -type $2 ! -name '.htaccess' ! -perm $3 -print0 | xargs -r -0 -L20 chmod $3
233233
;;
234234

235235
1)
236236
# Simulate.
237-
num=$(find "$1" -type $2 ! -perm $3 -print | wc -l)
237+
num=$(find "$1" -type $2 ! -name '.htaccess' ! -perm $3 -print | wc -l)
238238
printf "\n Content items with wrong permissions: $num"
239239
;;
240240

241241
2)
242242
# Simulate verbosely.
243243
printf "\n Content files and directories that would have their permissions fixed: "
244244
# Use a variable to indent output.
245-
items=$(find "$1" -type $2 ! -perm $3 -print)
245+
items=$(find "$1" -type $2 ! -name '.htaccess' ! -perm $3 -print)
246246
items=${items:-None}
247247
printf "\n ${items//$'\n'/$'\n' }\n"
248248
;;
@@ -281,6 +281,42 @@ function fix_code_permissions() {
281281
}
282282

283283

284+
# Helper function to set code permissions on .htaccess files in content directories.
285+
#
286+
# This is an internal function.
287+
#
288+
# Params:
289+
# $1 Path to the directory to process.
290+
#
291+
# Globals:
292+
# code_file_perms: permissions scheme to use for code files.
293+
function fix_htaccess_in_content_helper() {
294+
case $simulate in
295+
0)
296+
# Real action.
297+
find "$1" -type f -name '.htaccess' ! -perm "$code_file_perms" -print0 | xargs -r -0 -L20 chmod "$code_file_perms"
298+
;;
299+
300+
1)
301+
# Simulate.
302+
num=$(find "$1" -type f -name '.htaccess' ! -perm "$code_file_perms" -print | wc -l)
303+
[ $num -gt 0 ] && printf "\n .htaccess files with wrong permissions: $num"
304+
;;
305+
306+
2)
307+
# Simulate verbosely.
308+
items=$(find "$1" -type f -name '.htaccess' ! -perm "$code_file_perms" -print)
309+
if [ ! -z "$items" ]
310+
then
311+
printf "\n .htaccess files that would have their permissions fixed: "
312+
printf "\n ${items//$'\n'/$'\n' }\n"
313+
fi
314+
;;
315+
316+
esac
317+
}
318+
319+
284320
# Sets the permissions of a content path.
285321
#
286322
# Params:
@@ -289,6 +325,7 @@ function fix_code_permissions() {
289325
# Globals:
290326
# content_dir_perms: permissions scheme to use for content directories.
291327
# content_file_perms permissions scheme to use for content files.
328+
# code_file_perms: permissions scheme to use for .htaccess files.
292329
function fix_content_permissions() {
293330

294331
name=$(basename "$1")
@@ -297,6 +334,9 @@ function fix_content_permissions() {
297334

298335
printf "\n Setting permissions on content files to $content_file_perms under '$name'"
299336
fix_content_permission_helper "$1" f "$content_file_perms"
337+
338+
printf "\n Setting permissions on .htaccess files to $code_file_perms under '$name'"
339+
fix_htaccess_in_content_helper "$1"
300340
}
301341

302342

0 commit comments

Comments
 (0)