Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
The image module creates an "image" folder with permissions that disallow it to be used when the file settings in drupal are set to Public instead of Private. a chmod 700 should fix the problem, but this needs to be addressed in the module.
Comment | File | Size | Author |
---|---|---|---|
#4 | file.inc.permissions_0.patch | 876 bytes | dopry |
#2 | file.inc.permissions.patch | 876 bytes | dopry |
Comments
Comment #1
walkah CreditAttribution: walkah commentedthis is a general file_check_directory issue...
Comment #2
dopry CreditAttribution: dopry commented--changed version to 4.6.5 since it still applies.
As of 4.6.5 directorys are created with permissions 0760...
Here is a patch that updates them to 0761 so directory traversal will be allowed by every user.
Comment #3
moshe weitzman CreditAttribution: moshe weitzman commentedi'm pretty sure this was fixed in HEAD by Morbus
Comment #4
dopry CreditAttribution: dopry commentedThis issue is not filed against head. If that were the case, having the bug fixed in head would be sufficient. However, I feel the change should be included in 4.6.6.
attached is an update patch against 4.6.5 that matches the permissions to head.
Comment #5
Morbus IffThis is a non-critical bugfix, nor is it a security hole. I'm sure with enough effort, I could think of a few more bugs fixed in 4.7 that have more chances of being backported then this thing, especially when this particular bug is caused by a contrib module.