Closed (fixed)
Project:
Provision CiviCRM
Version:
6.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
26 Sep 2012 at 14:13 UTC
Updated:
31 May 2013 at 18:00 UTC
I think that CiviCRM with IMCE defaults to storing uploaded images to files/civicrm/persist/contribute. So the provision_civicrm_provision_apache_vhost_config() hook, which inserts:
<Directory "$cividir">
Order allow,deny
Deny from all
</Directory>
Breaks that functionality.
I've attached a patch that provides access to the persist/contribute/ directory. Our sites have no reason to protect this directory. However, I'm not sure if there is a use case that requires it to be protected?
jamie
| Comment | File | Size | Author |
|---|---|---|---|
| persist.contribute.access.patch | 622 bytes | jmcclelland |
Comments
Comment #1
bgm commentedIndeed, I had forgotten about IMCE files. Other uploaded files go through CiviCRM, so it wasn't a problem.
I implemented that mostly after I noticed while noticing on google that some civicrm installs have publicly available logs, which can include private information.
Comment #2
bgm commentedCommitted to 6.x-1.x. Thanks for the patch!
Comment #4
jmcclelland commentedWoops... one more:
This one is if you upload a person image to a civicrm contact. Stored in files/civicrm/custom.
jamie
Comment #5
bgm commentedPatch committed. Sorry for the slow response.
Comment #6
jmcclelland commentedI've discovered another one:
/files/civicrm/persist/openFlashChart
It's used when you have charts in reports.
I wonder if we should just allow all of files/civicrm/persist ?