I'm using IMCE as my upload module. I set the "File system path:" to a directory(e.g /home/xyz/files) that is outside of drupal's installation directory and set its 'download method' to private. I noticed after I uploaded a file named secret.bin to /home/xyz/files/ it's referred as http://mysite.com/system/files/secret.bin.

My intention is that before login this uploaded file should be kept 100% private, i.e. none should be able to download it(even though they know the URL is http://mysite.com/system/files/secret.bin) until they login. However it's not the case, anyone can access this file once they know the URL.

That means, drupal (at least with IMCE as its uploading method) has no way to keep uploaded files private, it surprises me that drupal redirects http requests to a directory(/home/xyz/files) totally outside of its own directory, that really should not happen, and I consider it's a security risk.

any helps are greatly appreciated, maybe I should switch from IMCE to the default upload module, but I already had too many uploaded files in various sub-directories managed by IMCE, sigh.

Comments

vm’s picture

you say "outside of drupal's installation directory " is it above the public root? if not, thats the problem

ie: it needs to be above public_html or www or home or whatever your public root is that can't be accessed from by users with a browser.

Anonymous’s picture

it's above the public root as far as I can tell, here is the detailed info:

/var/www/mysite.com is the root html directory
$cd /home/xyz
$ln -s /var/www/mysite.com mysite.com
$mkdir files
$ls -l
mysite.com
files

so, the uploaded path is in parallel to the root directory. drupal really should not redirect the /system/files/whatever request to a directory outside of its own directory(i.e. mysite.com).

thanks for the help

vm’s picture

mysite.com looks like it is a subdirectory in your public root.

it needs to be above the public root which looks like its www. if it's not above where a browser can't grab it naturally, drupal can't protect it. Drupal will serve it when it's above the public root to logged in users only.

Anonymous’s picture

I do think /home/xyz/files is outside of both /var/www and /var/www/mysite.com.

I just did a risky move, i.e. 'mv /home/xyz/files /var', which is absolutely outside of the public root, however anyone can still download files via http://mysite.com/system/files/secret.bin.

I'm doubtful on IMCE module, as I used the default upload module before and I remembered it worked fine.

could this be considered a security risk? I'm using 6.14 with the newest IMCE module.

vm’s picture

My files folder is above the public root and anon users can't download the files. Only registered and logged in users have access to the system path.

I'd keep moving the direcory up a folder until it can't be reached. However, once you get it out of of reach of anon users, your uploaded files won't work after it's changed and will need to manually be altered in the database.

Anonymous’s picture

are you using the default upload module or IMCE, I used upload module it worked fine (last year), but now I'm using IMCE which presents this problem, not sure if it's the cause.

thanks!

vm’s picture

I don't use IMCE, however I don't see why that would make a difference.

You can always install a test site in another subdirectory and test your theory. If IMCE proves to be the issue, you can file a bug report.

As far as it being a security risk, I wouldn't classify it as a security risk as it doesn't allow anyone access to your database and isn't any kind of an exploit that would hurt anything. Though I understand you want to keep files private, and right now they aren't for one reason or another.

Anonymous’s picture

thanks for the help. maybe some contributed modules did the damage, need time to try them out one-by-one. sigh.

Anonymous’s picture

after some tests I realized this is specific to IMCE, if you use the default upload module everything will work well.