I think that CiviCRM with IMCE defaults to storing uploaded images to files/civicrm/persist/contribute. So the provision_civicrm_provision_apache_vhost_config() hook, which inserts:

 <Directory "$cividir">
    Order allow,deny
    Deny from all
    </Directory>

Breaks that functionality.

I've attached a patch that provides access to the persist/contribute/ directory. Our sites have no reason to protect this directory. However, I'm not sure if there is a use case that requires it to be protected?

jamie

CommentFileSizeAuthor
persist.contribute.access.patch622 bytesjmcclelland

Comments

bgm’s picture

Status: Needs review » Reviewed & tested by the community

Indeed, I had forgotten about IMCE files. Other uploaded files go through CiviCRM, so it wasn't a problem.

I implemented that mostly after I noticed while noticing on google that some civicrm installs have publicly available logs, which can include private information.

bgm’s picture

Status: Reviewed & tested by the community » Fixed

Committed to 6.x-1.x. Thanks for the patch!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

jmcclelland’s picture

Status: Closed (fixed) » Needs review

Woops... one more:

--- a/verify.provision.inc
+++ b/verify.provision.inc
@@ -99,6 +99,7 @@ function provision_civicrm_provision_apache_vhost_config($data = null) {
 
   $cividir = d()->site_path . '/files/civicrm';
   $contribdir = $cividir . '/persist/contribute';
+  $customdir = $cividir . '/custom';
 
   $htaccess  = 
       "<Directory \"$cividir\">\n"
@@ -108,6 +109,10 @@ function provision_civicrm_provision_apache_vhost_config($data = null) {
     . "<Directory \"$contribdir\">\n"
     . "  Order allow,deny\n"
     . "  Allow from all\n"
+    . "</Directory>\n"
+    . "<Directory \"$customdir\">\n"
+    . "  Order allow,deny\n"
+    . "  Allow from all\n"
     . "</Directory>\n";
 
   return $htaccess;

This one is if you upload a person image to a civicrm contact. Stored in files/civicrm/custom.

jamie

bgm’s picture

Status: Needs review » Fixed

Patch committed. Sorry for the slow response.

jmcclelland’s picture

I've discovered another one:

/files/civicrm/persist/openFlashChart

It's used when you have charts in reports.

I wonder if we should just allow all of files/civicrm/persist ?

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.