Thursday, October 22, 2015

Drupal 7: Forbidden error for files in the files directory

"Access forbidden!
You don't have permission to access the requested object. It is either read-protected or not readable by the server.
If you think this is a server error, please contact the webmaster. "

The problems, however, start when the browser is trying to access these files.
Problem #1. The FollowSymLinks option causes me an Internal Server Error because my hosting provider has disabled use of this directive. In my environment I know I can safely comment this line out just like I did in the main .htaccess file in the Drupal installation directory. This is because the FollowSymLinksIfOwnerMatch is enabled instead. One down, one to go.

Problem #2. The content of the .htaccess file is now effectively as follows:
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
With this configuration I get rid of the Internal Server error. But instead, I now get a HTTP 403 forbidden error when the browser is requesting files that are in the files directory.
If I comment out Options None, I can access the files as intended. This configuration change is, however, something that I am not going to do unless I know for sure that Apache is configured safely - I don't want to open my site for remote arbitrary code execution.