create safer .htaccess SC#302

diff --git a/doc/install.html b/doc/install.html
index 31d14d5b299a505d6786df9db0b6dda4fa31fb18..3df339df3d395787d4455fab74b0ff2488d90660 100755 (executable)
--- a/doc/install.html
+++ b/doc/install.html
@@ -114,7 +114,7 @@
      by creating a file in the data directory called .htaccess, containing this line:
   <blockquote>
      
-    <pre>deny from all</pre>
+    <pre>deny from all<br />AllowOverride None</pre>
   </blockquote>
   <p>To make sure that Moodle can save uploaded files in this directory, check that 
      the web server software (eg Apache) has permission to write 

diff --git a/lang/en_utf8/docs/install.html b/lang/en_utf8/docs/install.html
index 10592d62dbeaae571fc2817e785b179aac110aa9..8d949e2870c1cebd6d74dadefbb3d74f7b49052f 100644 (file)
--- a/lang/en_utf8/docs/install.html
+++ b/lang/en_utf8/docs/install.html
@@ -254,7 +254,7 @@ php_value post_max_size 2M
     <p>The Moodle installer tries hard to create this directory for you but if it fails then you will have to create a directory for this purpose manually. </p>
     <p>For security, it's best that this directory is NOT accessible directly via the web. The easiest way to do this is to simply locate it OUTSIDE the web directory, but if you must have it in the web directory then  protect it by creating a file in the data directory called .htaccess, containing this line: </p>
     <blockquote>
-      <pre>deny from all</pre>
+      <pre>deny from all<br />AllowOverride None</pre>
     </blockquote>
     <p>To make sure that Moodle can save uploaded files in this directory, check that the web server software (eg Apache) has permission to read, write and execute in  this directory. </p>
     <p>On Unix machines, this means setting the owner of the directory to be something like &quot;nobody&quot; or &quot;apache&quot;, and then giving that user read, write and execute permissions.</p>

diff --git a/lang/en_utf8/help/install.html b/lang/en_utf8/help/install.html
index 3cef4dabd1e44a9be56590f7ba3922dd18545e80..bf7e5049cac5fa3973d017f5c2c89f3facc780fe 100644 (file)
--- a/lang/en_utf8/help/install.html
+++ b/lang/en_utf8/help/install.html
@@ -234,7 +234,7 @@ php_value post_max_size 2M
     <p>The Moodle installer tries hard to create this directory for you but if it fails then you will have to create a directory for this purpose manually. </p>
     <p>For security, it's best that this directory is NOT accessible directly via the web. The easiest way to do this is to simply locate it OUTSIDE the web directory, but if you must have it in the web directory then  protect it by creating a file in the data directory called .htaccess, containing this line: </p>
     <blockquote>
-      <pre>deny from all</pre>
+      <pre>deny from all<br />AllowOverride None</pre>
     </blockquote>
     <p>To make sure that Moodle can save uploaded files in this directory, check that the web server software (eg Apache) has permission to read, write and execute in  this directory. </p>
     <p>On Unix machines, this means setting the owner of the directory to be something like &quot;nobody&quot; or &quot;apache&quot;, and then giving that user read, write and execute permissions.</p>

diff --git a/lib/db/mysql.php b/lib/db/mysql.php
index 7080146839c5fe941c7d0638243ff0fdd41ed282..57a60c2fd8f2e55043979be560fb5c7a42673523 100644 (file)
--- a/lib/db/mysql.php
+++ b/lib/db/mysql.php
@@ -1096,7 +1096,7 @@ function main_upgrade($oldversion=0) {
     if ($oldversion < 2005011000) {     // Create a .htaccess file in dataroot, just in case
         if (!file_exists($CFG->dataroot.'/.htaccess')) {
             if ($handle = fopen($CFG->dataroot.'/.htaccess', 'w')) {   // For safety
-                @fwrite($handle, "deny from all\r\n");
+                @fwrite($handle, "deny from all\r\nAllowOverride None\r\n");
                 @fclose($handle); 
                 notify("Created a default .htaccess file in $CFG->dataroot");
             }

diff --git a/lib/db/postgres7.php b/lib/db/postgres7.php
index 524b5b3567d6cf1d7b3ca8892ae9c984c3b5b688..b114d6b959d8e685362c9229c068c1e810c729e3 100644 (file)
--- a/lib/db/postgres7.php
+++ b/lib/db/postgres7.php
@@ -871,7 +871,7 @@ function main_upgrade($oldversion=0) {
     if ($oldversion < 2005011000) {     // Create a .htaccess file in dataroot, just in case
         if (!file_exists($CFG->dataroot.'/.htaccess')) {
             if ($handle = fopen($CFG->dataroot.'/.htaccess', 'w')) {   // For safety
-                @fwrite($handle, "deny from all\r\n");
+                @fwrite($handle, "deny from all\r\nAllowOverride None\r\n");
                 @fclose($handle); 
                 notify("Created a default .htaccess file in $CFG->dataroot");
             }

diff --git a/lib/setuplib.php b/lib/setuplib.php
index 63ddebb48a6ffb88df2347280b8d7fc5bc893788..cd73326b1fbb6d798fa3a3875af41da6aaba63b1 100644 (file)
--- a/lib/setuplib.php
+++ b/lib/setuplib.php
@@ -60,7 +60,7 @@ function make_upload_directory($directory, $shownotices=true) {
     // Make sure a .htaccess file is here, JUST IN CASE the files area is in the open
     if (!file_exists($currdir.'/.htaccess')) {
         if ($handle = fopen($currdir.'/.htaccess', 'w')) {   // For safety
-            @fwrite($handle, "deny from all\r\n");
+            @fwrite($handle, "deny from all\r\nAllowOverride None\r\n");
             @fclose($handle);
         }
     }