Drupal's .htaccess
file does a good job of blocking the execution of command files because their extension is drush.inc
, but configuration files have a drushrc.php
extension; hence, these will be executed by the web server if someone writes the full path in the browser. Let's test this in the command line. Our sample Drupal project has a few Drush commands and a configuration file at sites/all/drush
:
$ curl -v http://example.local/sites/all/drush/policy.drush.inc
* Connected to example.local (127.0.0.1) port 80 (#0)
> GET /sites/all/drush/policy.drush.inc HTTP/1.1
> User-Agent: curl/7.35.0
> Host: example.local
> Accept: */*
>
< HTTP/1.1 403 Forbidden
We attempted to access our policy command file from the web browser and failed because Drupal's .htaccess
file blocked access to it. Good! Now let's try this with our main Drush configuration file:
$ curl -v http://example.local/sites/all/drush/drushrc.php
* Connected...