The image module creates an "image" folder with permissions that disallow it to be used when the file settings in drupal are set to Public instead of Private. a chmod 700 should fix the problem, but this needs to be addressed in the module.

CommentFileSizeAuthor
#4 file.inc.permissions_0.patch876 bytesdopry
#2 file.inc.permissions.patch876 bytesdopry
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

walkah’s picture

walkah CreditAttribution: walkah commented
Project: Image » Drupal core
Version: 4.6.x-1.x-dev » 4.6.3
Component: image.module » file system

this is a general file_check_directory issue...

dopry’s picture

dopry CreditAttribution: dopry commented
Version: 4.6.3 » 4.6.5
Assigned: Unassigned » dopry
Status: Active » Needs review
FileSize
file.inc.permissions.patch876 bytes

--changed version to 4.6.5 since it still applies.
As of 4.6.5 directorys are created with permissions 0760...
Here is a patch that updates them to 0761 so directory traversal will be allowed by every user.

moshe weitzman’s picture

moshe weitzman CreditAttribution: moshe weitzman commented
Status: Needs review » Fixed

i'm pretty sure this was fixed in HEAD by Morbus

dopry’s picture

dopry CreditAttribution: dopry commented
Status: Fixed » Needs review
FileSize
file.inc.permissions_0.patch876 bytes

This issue is not filed against head. If that were the case, having the bug fixed in head would be sufficient. However, I feel the change should be included in 4.6.6.

attached is an update patch against 4.6.5 that matches the permissions to head.

Morbus Iff’s picture

Morbus Iff
they/them
CreditAttribution: Morbus Iff commented
Status: Needs review » Closed (won't fix)

This is a non-critical bugfix, nor is it a security hole. I'm sure with enough effort, I could think of a few more bugs fixed in 4.7 that have more chances of being backported then this thing, especially when this particular bug is caused by a contrib module.