This issue has been originally reported in the Octopus queue: #1196006: X-Accel-Redirect currently broken

Comments

omega8cc’s picture

omega8cc commented
Status: Active » Needs review

This patch is reported to fix the issue: http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/1f15c8d

omega8cc’s picture

omega8cc commented

One of our Clients discovered that it is possible to bypass access restrictions and display files expected to be protected, when using short URL with /files/private/*, which is rewritten under the hood to /sites/domain/files/private/* but the access restrictions are set only for full path in the URI: /sites/domain/files/private/*.

This commit fixes the issue: http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/5a97243

anarcat’s picture

anarcat commented
Status: Needs review » Fixed

both commits blindly cherry-picked to 1.x and 2.x.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit 613f6bf on 6.x-1.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat: 
    Issue #1197172 - fix for private files and X-Accel-Redirect support in...
  • Commit 8eb0816 on 7.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
    Issue #1197172 - fix for private files and X-Accel-Redirect support in...
  • Commit 329e922 on 7.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
    Issue #1197172 - fix for files access bypass bug in the Nginx...
  • Commit c1ce5c8 on 6.x-1.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
    Issue #1197172 - fix for files access bypass bug in the Nginx...