Index: modules/system/system.install =================================================================== RCS file: /Users/wright/drupal/local_repo/drupal/modules/system/system.install,v retrieving revision 1.510 diff -u -p -r1.510 system.install --- modules/system/system.install 1 Oct 2010 18:37:23 -0000 1.510 +++ modules/system/system.install 2 Oct 2010 15:33:34 -0000 @@ -332,6 +332,28 @@ function system_requirements($phase) { } } + // Ensure that a private directory is protected. + if ($phase == 'runtime') { + $private_directory = variable_get('file_private_path', FALSE); + if ($private_directory) { + $requirements['file_system_private_secure'] = array( + 'title' => $t('File system private directory'), + ); + + $test_file = file_unmanaged_save_data("This is a file to test private download security, and can be safely removed.\n", "private://DRUPAL_PRIVATE_FILES_TEST.txt"); + $http_result = drupal_http_request(url($base_url . '/' . $private_directory . substr($test_file, 9))); + if (!isset($http_result->error)) { + $requirements['file_system_private_secure']['description'] = $t('The directory %directory is publicly accessible, allowing access to private files without checking access permissions. Ensure that the directory is not directly accessible by moving it outside of your website root and changing the path at the file system settings page or configuring your web server to block access to the directory.', array('@admin-file-system' => url('admin/config/media/file-system'), '%directory' => $private_directory)); + $requirements['file_system_private_secure']['severity'] = REQUIREMENT_ERROR; + $requirements['file_system_private_secure']['value'] = $t('Not secure'); + } + else { + $requirements['file_system_private_secure']['value'] = $t('%directory is not directly accessible from the web.', array('%directory' => $private_directory)); + } + file_unmanaged_delete($test_file); + } + } + // See if updates are available in update.php. if ($phase == 'runtime') { $requirements['update'] = array(