Private files and X-Accel-Redirect support in Nginx is broken [#1197172]

This issue has been originally reported in the Octopus queue: #1196006: X-Accel-Redirect currently broken

Comments

Comment #1

omega8cc CreditAttribution: omega8cc commented 22 June 2011 at 23:15

Status:

Active

» Needs review

This patch is reported to fix the issue: http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/1f15c8d

Comment #2

omega8cc CreditAttribution: omega8cc commented 23 June 2011 at 18:37

One of our Clients discovered that it is possible to bypass access restrictions and display files expected to be protected, when using short URL with /files/private/*, which is rewritten under the hood to /sites/domain/files/private/* but the access restrictions are set only for full path in the URI: /sites/domain/files/private/*.

This commit fixes the issue: http://drupalcode.org/sandbox/omega8cc/1111100.git/commit/5a97243

Comment #3

anarcat CreditAttribution: anarcat commented 12 July 2011 at 22:56

Status:

Needs review

» Fixed

both commits blindly cherry-picked to 1.x and 2.x.

Comment #4

26 July 2011 at 23:01

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #5

12 June 2014 at 08:41

Commit 613f6bf on 6.x-1.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
```
Issue #1197172 - fix for private files and X-Accel-Redirect support in...
```
Commit 8eb0816 on 7.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
```
Issue #1197172 - fix for private files and X-Accel-Redirect support in...
```
Commit 329e922 on 7.x-2.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
```
Issue #1197172 - fix for files access bypass bug in the Nginx...
```
Commit c1ce5c8 on 6.x-1.x, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by omega8cc, committed by anarcat:
```
Issue #1197172 - fix for files access bypass bug in the Nginx...
```