Hi,

'Private Download' doesn't protect files in subdirectories. Configuration: CCK, Filefield, Filefield paths; the latter one creates subdirectories for file storage below the private file directory; those subdirectories are created dynamically with tokens.

Drupal file directory: sites/default/files
Private files directory: sites/default/files/private

The files to be protected reside in subdirectories of /sites/default/files/private.

sites/default/files/private has this .htaccess file:

$ cat sites/default/files/private/.htaccess 
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteBase /system/files/private
  RewriteRule ^(.*)$ $1 [L,R=301]
</IfModule>

Subdirectories have no .htaccess file.

Is there any change to get 'Private Download' working together with dynamically created subdirectories?

Thanks, -asb

Comments

johnhanley’s picture

johnhanley CreditAttribution: johnhanley commented
Priority: Major » Normal

It's an interesting idea. We need to devise a way to programmatically insert a .htaccess file each time a new directory is created.

mhawker’s picture

mhawker CreditAttribution: mhawker commented

subscribed

Daniel Wentsch’s picture

Daniel Wentsch CreditAttribution: Daniel Wentsch commented

Subscribing

alex.pilon’s picture

alex.pilon CreditAttribution: alex.pilon commented

The best solution to this is to put the private files directory outside of the web root.

Not doing this is like a bank keeping its money behind the desk. "You can't see it, but its here." Where as in the vault its like whether or not you know its there, you can't access it.

So if you can, have /home/mysite/web and /home/mysite/files, and point apache to the first directory and tell drupal to private download from the second one.

You could also do like this: http://httpd.apache.org/docs/2.2/mod/core.html#directory (the last example of the section)

This could go in the main htaccess file and should restrict direct access to anything in this directory. (this snippet probably needs adjustment).


Deny from All

asb’s picture

asb CreditAttribution: asb commented

@alex.pilon: I think you are missing the point of the 'Private Download' module. From the project page:

Private Download provides a private download directory for use when the file system is configured for public download access.

For sure there are safe(r) ways to handle files, and for sure there are safe(r) systems than Drupal to deal with money-like files. The 'Private Download' is for use cases where the given things are a) Drupal, and b) public files configuration.

msathesh’s picture

msathesh CreditAttribution: msathesh commented

Is there any update on this? I'm in a similar situation to protect sub-directories within private folder.. any alternate solutions?

anrikun’s picture

anrikun CreditAttribution: anrikun commented
Version: 6.x-1.3 » 6.x-1.x-dev
Category: feature » support

@all: what you experience is not normal.
all my private files are always stored in sub-directories of private dir, and still it works as expected without any change.
No extra .htaccess should be necessary.
Isn't there any .htaccess in a parent directory that breaks something?

A real example:
Try to download http://www.lelieududesign.com/sites/default/files/private/veille/veille-...
You will notice that the file is in sub-directory private/veille and I guaranty that there is no extra .htaccess inside this sub-directory.
Still you should no be allowed to download the file.

asb’s picture

asb CreditAttribution: asb commented

@anrikun: You're probably running non-standard settings in your Apache configuration, or you have modified the site-wide .htaccess file somehow.

Yan you give us your configs for comparison, e.g.:

        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>

        <Directory /var/www/yoursite >
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                ...
        </Directory>
anrikun’s picture

anrikun CreditAttribution: anrikun commented

My config looks the same:

<Directory [...]/mysite>
Options -Indexes +IncludesNOEXEC +FollowSymLinks +ExecCGI
allow from all
AllowOverride All
</Directory>

All .htaccess files are Drupal default ones.
Especially the one inside /sites/default/files:

SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Options None
Options +FollowSymLinks
johnhanley’s picture

johnhanley CreditAttribution: johnhanley commented
Issue summary: View changes
Status: Active » Closed (won't fix)

Closing due to Drupal 6 end-of-life cycle.