From 7c6e37bfafc3309cf4309d8cf46215211cab91bf Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Tue, 3 Dec 2013 12:14:44 -0200
Subject: Fix for SA-CORE-2013-003

---
 files/htaccess    | 23 +++++++++++++++++++++++
 manifests/init.pp |  9 +++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 files/htaccess

diff --git a/files/htaccess b/files/htaccess
new file mode 100644
index 0000000..d156a1e
--- /dev/null
+++ b/files/htaccess
@@ -0,0 +1,23 @@
+# Turn off all options we don't need.
+Options None
+Options +FollowSymLinks
+
+# Set the catch-all handler to prevent scripts from being executed.
+SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
+<Files *>
+  # Override the handler again if we're run later in the evaluation list.
+  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
+</Files>
+
+# If we know how to do it safely, disable the PHP engine entirely.
+<IfModule mod_php5.c>
+  php_flag engine off
+</IfModule>
+# PHP 4, Apache 1.
+<IfModule mod_php4.c>
+  php_flag engine off
+</IfModule>
+# PHP 4, Apache 2.
+<IfModule sapi_apache2.c>
+  php_flag engine off
+</IfModule>
diff --git a/manifests/init.pp b/manifests/init.pp
index eef169a..9094988 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -108,4 +108,13 @@ class drupal(
     source  => "puppet:///modules/drupal/themes7.make",
     require => File['/usr/local/share/drupal'],
   }
+
+  # See https://drupal.org/SA-CORE-2013-003
+  file { "/tmp/.htaccess":
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => 644,
+    source  => "puppet:///modules/drupal/htaccess",
+  }
 }
-- 
cgit v1.2.3