Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
I have a site hosted in Aegir (0.4-rc1 I think). In its "private" directory, I put a text file:
~/platforms/myplatform/sites/example.org/private/test.txt
From a web browser, I can access it directly and read it with an URL like this:
http://example.org/sites/example.org/private/test.txt
Comments
Comment #1
Anonymous (not verified) CreditAttribution: Anonymous commentedI think we made that private directory just for Drupal 7 compatibility.
According to http://drupal.org/documentation/modules/file, when you set private download method in drupal 7, it drops a .htaccess in there saying Deny from All.
It's probably not respected in Drupal 6, but wasn't intended to be. You could nonetheless drop such a .htaccess file in there yourself if you wish.
Comment #2
j0nathan CreditAttribution: j0nathan commentedHi mig5,
I tried with an .htaccess file saying "Deny from All" but I still have access to my text file.
Maybe we can automatically put a README file into that directory explaining that it is not really private and should be configured into Drupal, version 7.
Comment #3
anarcat CreditAttribution: anarcat commentedI think we should hardcode in our templates that /private is forbidden.
Comment #4
Anonymous (not verified) CreditAttribution: Anonymous commentedI did just that, please patch from http://drupalcode.org/project/provision.git/commit/3fcbb0c, let us know if it doesn't fix the issue for you.
Comment #6
j0nathan CreditAttribution: j0nathan commentedHi,
On what version should it work?
I tried with 6.x-1.0-rc7 and the file is still accessible.
I haven't patch anything.
Comment #7
anarcat CreditAttribution: anarcat commentedThis was supposedly fixed in rc4. You will need to re-verify the site (and maybe even the platform).
Please try again.
Comment #8
Anonymous (not verified) CreditAttribution: Anonymous commentedAnd remember you may need to re-verify your site/platform in order to have that config snippet appended to the relevant vhost config.
Comment #9
j0nathan CreditAttribution: j0nathan commentedI've just re-verified the platform and re-verified the site, I cleared the cache (drush cc all) and cleared boost's cache, I cleared my browser's cache and tried with different browsers, but I still can access the file.
Comment #10
Anonymous (not verified) CreditAttribution: Anonymous commentedCan you paste the DirectoryMatch snippet of the relevant vhost config file? Or e-mail it to me.
Maybe I have screwed up the path and that's why. Also include what you think the path ought to be, if it looks wrong in the vhost.
Comment #11
joestewart CreditAttribution: joestewart commentedCan we just remove the private directory creation? It's not part of Drupal 7 right?
Comment #12
Steven Jones CreditAttribution: Steven Jones commented@J0nathan - Did you get any further with diagnosing this issue?
Comment #13
j0nathan CreditAttribution: j0nathan commentedI will ask anarcat for help about the information needed in #10.
Comment #14
Steven Jones CreditAttribution: Steven Jones commentedJust noticed that our apache SSL vhost template DOESN'T protect the private files directory like the not SSL vhost template does, not sure if that's related to this issue?
Comment #15
omega8cc CreditAttribution: omega8cc commentedThe problem is you are trying the file in the /private/ level, while the configuration protects only 2 subdirectories there:
See: http://drupalcode.org/project/provision.git/blob/HEAD:/http/apache/vhost...
Comment #16
Steven Jones CreditAttribution: Steven Jones commented@omega8cc - Good spot.
I think that people will reasonably expect the private directory to be private.
So should this be:
or
?
Comment #17
omega8cc CreditAttribution: omega8cc commentedThere should be no slash at the end of the path, like here: http://drupalcode.org/project/provision.git/blob/HEAD:/http/apache/vhost...
Comment #18
Steven Jones CreditAttribution: Steven Jones commentedhttp://httpd.apache.org/docs/2.0/mod/core.html#directorymatch Seems to suggest it should be a regexp, so:
Actually something more like:
Is needed, though either of the above would work.
Comment #19
anarcat CreditAttribution: anarcat commentedCan we build a patch here?
And why don't we just do a
<Directory>
, since we know the full path anyways?Comment #20
anarcat CreditAttribution: anarcat commentedPush on 2.x as f6acf28, we're now testing this in production.
Comment #21
anarcat CreditAttribution: anarcat commentedthis works in prod for us, merging in 1.x...
Comment #23
anarcat CreditAttribution: anarcat commentedOddly enough, I have stumbled upon this weird POLA violation in 1.8 again. While private/files are protected, files directly under private/ are *not* protected, which is rather weird considering #16 clearly reported it should be protected, and I myself requested this to not be a pattern-match but just a global blocking of the whole directory in #19, only to commit the incomplete patch 7 minutes later.
Go figure.
So this is too late for the 1.9 release, but I can still fix this in the 2.x branch at least.
Comment #24
anarcat CreditAttribution: anarcat commenteda new fix has just been pushed, but just missed the 1.9 release, sorry!