Skip to content Skip to navigation

Private vs. Public method in file system option

Author: 

When public method (default) is used in file system, you cannot upload files and do not see images via WYSIWYG editor (e.g. TinyMCE) with IMCE module to upload images

Fix: (per email from mrmarco )

In the .htaccess file within your file upload directory (e.g., sites/default/files/.htaccess, sites/files/.htaccess or files/.htaccess), comment out the lines:

 # SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 # Options None
 # Options +FollowSymLinks

Lines that begin with Options. They will trigger errors in Apache (which will prevent the images from showing up). You can leave the line with SetHandler commented out if you want, or not, Apache ignores that one.

(If you remove the .htaccess file, Drupal will re-create it so leave it there with the lines commented out.)

This is Drupal's attempt to protect you from malicious users who might upload executable files (maybe as attachments). It's very important that you don't allow anonymous or untrusted users to upload files to Drupal unless you save your files outside of cgi-bin.

There's some further restriction that you can add if you want to restrict files by file type and add Webauth restriction(s):

# First process Allow directives, then Deny ones. If none match, deny by default.
Order Allow,Deny
# Only allow access to files that are treated through the default handler by Apache (as of 6/15/09) - files that are not executed.
# Place WebAuth directives in here as well (optional).
<FilesMatch "\.(gif|jpe?g|png|ico|swf|css|js|jar|shtml?|html?|xhtml?|xml|txt|pdf|mov|doc|xls|ppt|pps|odt|ods|odp|docx|xlsx|pptx|mp3|wma|tar|gz|zip)$">
  AuthType WebAuth
  require valid-user
  Allow from all
</FilesMatch>

Note that this restricts file downloading to SUNet users only. If you want anonymous users to be able to download files, you need to comment out the WebAuth lines like so:

#  AuthType WebAuth
#  require valid-user
  Allow from all

So the whole .htaccess for a WebAuth-restricted file directory should look like this:

#SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
#Options None
#Options +FollowSymLinks
 
# SetHandler does not work in our configuration. It would require Apache to allow the override of FileInfo which is quite dangerous.
# The directives below are meant to stop accesses to any files that might be executed.
 
# First process Allow directives, then Deny ones. If none match, deny by default.
Order Allow,Deny
 
# Only allow access to files that are treated through the default handler by Apache (as of 6/15/09) - files that are not executed.
# Place WebAuth directives in here as well (optional).
<FilesMatch "\.(gif|jpe?g|png|ico|swf|css|js|jar|shtml?|html?|xhtml?|xml|txt|pdf|mov|doc|xls|ppt|pps|odt|ods|odp|docx|xlsx|pptx|mp3|wma|tar|gz|zip)$">
 AuthType WebAuth
 require valid-user
 Allow from all
</FilesMatch>

And the .htaccess file for a public files directory would look like this:

#SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
#Options None
#Options +FollowSymLinks
 
# SetHandler does not work in our configuration. It would require Apache to allow the override of FileInfo which is quite dangerous.
# The directives below are meant to stop accesses to any files that might be executed.
 
# First process Allow directives, then Deny ones. If none match, deny by default.
Order Allow,Deny
 
# Only allow access to files that are treated through the default handler by Apache (as of 6/15/09) - files that are not executed.
# Place WebAuth directives in here as well (optional).
<FilesMatch "\.(gif|jpe?g|png|ico|swf|css|js|jar|shtml?|html?|xhtml?|xml|txt|pdf|mov|doc|xls|ppt|pps|odt|ods|odp|docx|xlsx|pptx|mp3|wma|tar|gz|zip)$">
 Allow from all
</FilesMatch>