Hi,
I have a site hosted in Aegir (0.4-rc1 I think). In its "private" directory, I put a text file:
~/platforms/myplatform/sites/example.org/private/test.txt
From a web browser, I can access it directly and read it with an URL like this:
http://example.org/sites/example.org/private/test.txt

Comments

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

I think we made that private directory just for Drupal 7 compatibility.

According to http://drupal.org/documentation/modules/file, when you set private download method in drupal 7, it drops a .htaccess in there saying Deny from All.

It's probably not respected in Drupal 6, but wasn't intended to be. You could nonetheless drop such a .htaccess file in there yourself if you wish.

j0nathan’s picture

j0nathan CreditAttribution: j0nathan commented
Category: bug » feature

Hi mig5,

I tried with an .htaccess file saying "Deny from All" but I still have access to my text file.

Maybe we can automatically put a README file into that directory explaining that it is not really private and should be configured into Drupal, version 7.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Priority: Normal » Major

I think we should hardcode in our templates that /private is forbidden.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Version: » 6.x-1.0-rc3
Status: Active » Fixed

I did just that, please patch from http://drupalcode.org/project/provision.git/commit/3fcbb0c, let us know if it doesn't fix the issue for you.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

j0nathan’s picture

j0nathan CreditAttribution: j0nathan commented
Version: 6.x-1.0-rc3 » 6.x-1.0-rc7
Status: Closed (fixed) » Active

Hi,
On what version should it work?
I tried with 6.x-1.0-rc7 and the file is still accessible.
I haven't patch anything.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Active » Fixed

This was supposedly fixed in rc4. You will need to re-verify the site (and maybe even the platform).

Please try again.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

And remember you may need to re-verify your site/platform in order to have that config snippet appended to the relevant vhost config.

j0nathan’s picture

j0nathan CreditAttribution: j0nathan commented
Version: 6.x-1.0-rc7 » 6.x-1.1
Status: Fixed » Active

I've just re-verified the platform and re-verified the site, I cleared the cache (drush cc all) and cleared boost's cache, I cleared my browser's cache and tried with different browsers, but I still can access the file.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented

Can you paste the DirectoryMatch snippet of the relevant vhost config file? Or e-mail it to me.

Maybe I have screwed up the path and that's why. Also include what you think the path ought to be, if it looks wrong in the vhost.

joestewart’s picture

joestewart CreditAttribution: joestewart commented

Can we just remove the private directory creation? It's not part of Drupal 7 right?

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones commented

@J0nathan - Did you get any further with diagnosing this issue?

j0nathan’s picture

j0nathan CreditAttribution: j0nathan commented

I will ask anarcat for help about the information needed in #10.

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones commented

Just noticed that our apache SSL vhost template DOESN'T protect the private files directory like the not SSL vhost template does, not sure if that's related to this issue?

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

The problem is you are trying the file in the /private/ level, while the configuration protects only 2 subdirectories there:

<DirectoryMatch "<?php print $this->site_path; ?>/private/(files|temp)/" >

See: http://drupalcode.org/project/provision.git/blob/HEAD:/http/apache/vhost...

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones commented
Category: feature » bug

@omega8cc - Good spot.

I think that people will reasonably expect the private directory to be private.

So should this be:

<DirectoryMatch "<?php print $this->site_path; ?>/private" >

or

<DirectoryMatch "<?php print $this->site_path; ?>/private/" >

?

omega8cc’s picture

omega8cc CreditAttribution: omega8cc commented

There should be no slash at the end of the path, like here: http://drupalcode.org/project/provision.git/blob/HEAD:/http/apache/vhost...

Steven Jones’s picture

Steven Jones CreditAttribution: Steven Jones commented

http://httpd.apache.org/docs/2.0/mod/core.html#directorymatch Seems to suggest it should be a regexp, so:

Actually something more like:

<DirectoryMatch "^<?php print $this->site_path; ?>/private" >

Is needed, though either of the above would work.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Active » Needs work

Can we build a patch here?

And why don't we just do a <Directory>, since we know the full path anyways?

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Assigned: Unassigned » anarcat
Status: Needs work » Needs review

Push on 2.x as f6acf28, we're now testing this in production.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs review » Fixed

this works in prod for us, merging in 1.x...

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Version: 6.x-1.1 » 6.x-1.8
Status: Closed (fixed) » Needs work

Oddly enough, I have stumbled upon this weird POLA violation in 1.8 again. While private/files are protected, files directly under private/ are *not* protected, which is rather weird considering #16 clearly reported it should be protected, and I myself requested this to not be a pattern-match but just a global blocking of the whole directory in #19, only to commit the incomplete patch 7 minutes later.

Go figure.

So this is too late for the 1.9 release, but I can still fix this in the 2.x branch at least.

anarcat’s picture

anarcat CreditAttribution: anarcat commented
Status: Needs work » Fixed

a new fix has just been pushed, but just missed the 1.9 release, sorry!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 3fcbb0c on 6.x-1.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x by mig5: 
    #1108810 - fix to drop the .htaccess equivalent into the vhost that...