Jump to:
| Project: | Drupal core |
| Version: | 7.x-dev |
| Component: | file system |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (duplicate) |
Issue Summary
The file management system is neither resilient nor secure.
It's not resilient because any change to the path of the files folder, such as moving a site from one URL to another, breaks all files. See http://drupal.org/node/258099 for an example of the heartache this causes.
The file system is not very secure because it gives away locations of files, which could invite probing of a site's filesystem.
I request that Drupal adopt a mechanism where files and filesystem paths are abstracted behind some kind of PHP logic. With this, displayed file paths do not need to correspond to anything in the filesystem, plus it opens up interesting opportunities for file management, as built in file versioning (may have to use something like a GUID in the file name).
Comments
#1
The ability to change the file directory path is an old feature request and well known. Security by obscurity is not an effective means of security. You can't effectively hide URLs or URL paths, or disconnect them from file system paths without incurring significant file delivery overhead in Drupal, much like private files currently.