As far as I can see, if you use the files directory that is created by Drupal (admin/settings), then you have the security .htaccess file. If you choose a different directory, then you don't (talking public files here, only... don't know if the issue applies to private). This task is to add the .htaccess file generation step to any directory that is specified as the public uploads directory.

Note that this should be backported to 4.6

Comments

telcontar’s picture

telcontar commented
Project: Attachment » Filemanager

Note that attachment does not deal with public/private URLs directly but uses filemanager to achieve this. I think the admin/settings page you are referring to must be for the filemanager module.

Are you referring to DRUPAL-SA-2006-006? I think you're right, and the .htaccess file in the "files" directory should be applied to any directory specified for public upload.

telcontar’s picture

telcontar commented
Status: Active » Fixed

This seems to have been fixed in CVS a while ago.

Susurrus’s picture

Susurrus commented

Not too long ago, I just started using filemanager about 2 weeks ago. Does the sept-10th release fix this?

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)