| Drupal

drupal-tmp-htaccessDrupal 7.24 and 6.29 were released in mid-November.

Both versions contained security fixes.

One of the fixes is described as "Code execution prevention". The Drupal security team wanted to add an extra layer of protection to stop hackers from uploading malicious files.

This fix requires some people to make a manual change to their site and this tutorial will show you how.

If you go to Reports > Status Reports, you may see an error like the one below. This will only appear for people using an Apache server and with certain configurations.


The error will read like this:

"Temporary files directory     Not fully protected
See http://drupal.org/SA-CORE-2013-003 for information about the recommended .htaccess file which should be added to the /Applications/MAMP/tmp/php directory to help protect against arbitrary code execution."

The actual directory suggested will be different, depending on where your site is hosted.

The directory that gives the warning is the Temporary directory. You can find this in Configuration > File System:


This directory is not always easy to find, because of this restriction for the temporary directory.

"A local file system path where temporary files will be stored. This directory should not be accessible over the web."

What this means is that you may not find the /tmp directory amongst your normal Drupal files:


The /tmp directory may be at a higher level than your Drupal files. It may lie at least one level higher up, and outside of your normal web directory. In the image below, the web directory is /public_html.

Please note that if you do find the /tmp directory in a location like this, you do not have to proceed any further. The recommended fix will not be useful.

If your /tmp directory is Inside your normal Drupal site files, you can proceed.

Inside the /tmp directory, create a file called .htaccess.


The content of the file should look like the image below. You can find the content at https://drupal.org/SA-CORE-2013-003.


Please note that some people are reporting that this does not remove the error message. However, even if your error message doesn't disappear, you have still done the correct fix.

Other notes:

  • Mike in the comments says: "If /tmp is one directory above the web root the correct path is ../tmp That solved my error problem."
  • Achton in the comment suggests: "Another option is to simply delete the .htaccess files in question. Drupal will attempt to recreate them on next request."
  • If you're not using Apache, "you need to configure PHP execution protection yourself in the respective server configuration files." https://drupal.org/SA-CORE-2013-003

About the author

Steve is the founder of OSTraining. Originally from the UK, he now lives in Sarasota in the USA. Steve's work straddles the line between teaching and web development.