Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.The upgrade to v3.6 includes checks that the path to the image (for local folders) does not include ".."
For the component of the path which is input as part of the tag on the page this is fine, preventing access to folders outside the scope of the configured root. However, the check is also applied to the part of the path set up by the administrator to define the root folder for all galleries, which in my opinion is too restrictive.
I have a live site and a test site in separate subdirectories, and have set my galleries root folder to be a common location, at the same level as these two. Before v3.6 the two sites could both access the same common folder by setting up a root folder starting ../../ The restriction in v3.6 has broken this design, which as I say seems to me quite reasonable.
Tony.
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedPS. v3.6 also prevents the root folder, as set by the administrator, being an absolute path (starting with a slash) which would be an alternative way of achieving the result I am looking for.
Tony.
Comment #2
drpchris CreditAttribution: drpchris commentedMy comment on this would be that it's difficult to determine when the use of '..' is good/bad, so we should just disallow it. Proper practice with drupal is to have stuff in the 'sites' folder, and have different folders below that for each site. The code as written uses drupal functions to find out what the proper (for example) 'sites/default/files/albums' folder is (see http://api.drupal.org/api/function/conf_path/6 as used in
file_directory_path()). This means that albums should be able to be shared among different sites in one drupal installation.I'd rather not see this (or any) module promoting 'improper' placing of stuff in the drupal directory structure. Anyway, it's not a difficult change to get rid of the '..' check in the image.php code - just comment out one line.
Comment #3
drpchris CreditAttribution: drpchris commentedAlso, in response to your setup with 2 drupal installs, you might try creating an OS-level alias/link to the actual album directory in the other install site.