When a user's uploads folder is created, the user is notified that "The directory /home/[account]/[directory]/u3 has been created." This is a problem when I'm using a path like the one I've shown, with my hosting account name shown. (Private file system used here.)

Seems that the full path to the directory should never be shown; instead, the user should be told that "The directory 'u3' has been created." I can't seem to find this string to fix it myself, though.

Comments

mrtoner’s picture

mrtoner commented
Status: Active » Closed (fixed)

Looks like that's in core, in file.inc at file_check_directory(). I'll have to say something about it to the folks in charge of core.

mrtoner’s picture

mrtoner commented
Version: 6.x-1.1 » 6.x-1.x-dev
Status: Closed (fixed) » Active

I'm going to open this back up, since it's obvious that this isn't going to be fixed in core for D6.

(For the D7 issue, see #288455: Private file paths can expose hosting account.)

I wonder if IMCE could do just what drewish suggests in the issue linked above: clear the message queue so the "directory created" message doesn't display? This code inserted at line 807 of page.inc would do it:

$imce_messages = drupal_get_messages(NULL,TRUE);

although I don't know if that's the best way/place for it.

izmeez’s picture

izmeez commented

subscribing

ufku’s picture

ufku commented
Status: Active » Closed (won't fix)

sorry. this issue belongs to core.

mrtoner’s picture

mrtoner commented

You're right, the issue is with core, but the maintainers have determined this won't be fixed for D6. Meanwhile, your module exposes private hosting account information as a result -- which could be avoided by adding a single line to the code. It wouldn't be the first time module authors have worked around issues in core.