.htaccess: Option FollowSymLinks not allowed here

For all using Drupal. In June 2015 the Drupal security team has reviewed more closely this issue. Their assessment is that there is no security-related issue at all related to Drupal itself using +FollowSymlinks. They agree that switching from +FollowSymlinks to +SymlinksIfOwnerMatch in Drupal core would be a security improvement though. And that can be handled in that public ticket/issue https://www.drupal.org/node/1269780

Any volunteer for a patch to switch Drupal core from +FollowSymlinks to +SymlinksIfOwnerMatch? If easier a patch was submitted a while ago but it needs work and testing. If you’re interested to contribute I suggest to reply in the public ticket at https://www.drupal.org/node/1269780

By the way, if you’re able to demonstrate that the currently included +FollowSymlinks in Drupal version 6, 7, 8’s .htaccess file(s) makes the Drupal installation itself vulnerable to attack, the Drupal security team said they would welcome that and they would want to reopen that issue and handle that privately for security reason. Instructions to report privately are at https://www.drupal.org/node/101494 or https://security.drupal.org

Hello,

security if fine, but it does not help if it makes system unuseable.

With the default setting you can’t even install the most current version of magento.
I tried today.

During installation several times the htaccess is overwritten.
Puttin +FollowSymLinks in it and stops the installer with a 500.
So I change the htaccess and reload the page. The installer detects the crash and starts all over replacing the htaccess. When I set the permission so he can’t he stops and reports an permission error.

This happens on each update you install later.

So, until Magento don’t changes this I need to go the less secure way to keep the store running at all.

Nope, I don’t like it, but there are many things I don’t like.

Stefan

I have (I think) achieved a reasonably secure Magento installation by changing my Apache conf to allow FollowSymLinks, running the installer and then manually changing all the .htaccess files to SymLinksIfOwnerMatch. Of course, this needs to be repeated for every upgrade. It’s a pain but it seems to work.

Just to make sure everyone knows what needs to change for Magento if you’re moving from mod_php to fcgi style hosting… here it is. Note that it’s just two simple changes in .htaccess and media/.htaccess.

/home/$USER/public_html/.htaccess

Find the line:
Options +FollowSymlinks

And change to:
Options +SymLinksIfOwnerMatch

/home/$USER/public_html/media/.htaccess

Find the line:
Options All -Indexes

And change to:
Options -Indexes

Find the line:
Options +FollowSymlinks

And change to:
Options +SymLinksIfOwnerMatch

Just so you know, I copied this info from…
https://support.terranetwork.net/web/knowledgebase/144/htaccess-restrictions-for-Magento-Installs.html

Good news for all using Drupal. A patch has been committed/pushed. This means that issue will be fixed in the next Drupal version 8 release. Yayaya :slight_smile: Read more at https://www.virtualmin.com/node/24493#comment-156092

Hi,

same problem with Joomla’s .htaccess-file (Options +FollowSymlinks).

The line just below this section: ‘Options +FollowSymLinks’ may cause problems with some server configurations.
It is required for use of mod_rewrite, but may already be set by your server administrator in a way that disallows changing it in your .htaccess file.
If using it causes your server to error out, comment it out (add # to # beginning of line), reload your site in your browser and test your sef url’s.
If they work, it has been set by your server administrator and you do not need it set here.

Is this solution still safe?

I found this topic, thanks google. I have a webmin server with several websites, one i want to make it with Opencart and i encounter same problems, when i leave options +followsymlinks uncommented i get server 500 errors. When i disable that option i cannot use seo url option for products links. I get some html code errors when i click products when i have seo url activated.
I tested Options +SymLinksIfOwnerMatch in htaccess but seems nothing change to website. I still cannot activate seo url.
Is there any solution ? It is weird when i activate seo url , when i click a product from category page i get a blank page with text only (no layout of product page), but when i click that product from checkout basket it opens nice with theme layout.

Hi

I have the same problem and I did that mbr89 said.
Work fine and mode_rewrite Work fine too.
But… If safe this option ?

Please comments…

Thanks in advance.

Hi,

A long time but how can I undo this command? My site now just downloads a file every time I access it?

Please let me know as it would really help me.

Thanks