Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This issue has been originally reported in the Octopus queue: #1196006: X-Accel-Redirect currently broken
Comments
Comment #1
omega8cc CreditAttribution: omega8cc commentedThis patch is reported to fix the issue: http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/1f15c8d
Comment #2
omega8cc CreditAttribution: omega8cc commentedOne of our Clients discovered that it is possible to bypass access restrictions and display files expected to be protected, when using short URL with
/files/private/*
, which is rewritten under the hood to/sites/domain/files/private/*
but the access restrictions are set only for full path in the URI:/sites/domain/files/private/*
.This commit fixes the issue: http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/5a97243
Comment #3
anarcat CreditAttribution: anarcat commentedboth commits blindly cherry-picked to 1.x and 2.x.