Now, with the upgrade to CiviCRM 4.4.4, a security warning appears that the files/civicrm/upload directory is exposed. The instruction page for this warning tells how to check, and sure enough, I am able to browse that directory and view this file:
http://live-mysite.gotpantheon.com/sites/default/files/civicrm/upload/la...
This, even though the actual directory is parallel with "code" and starter kit uses a symlink for the "files" directory. It seems the htaccess file is not protecting this directory. This seems like a distro issue to me, although I'm willing to learn otherwise.
Here's how htaccess reads:
<Files "*">
Order allow,deny
Deny from all
</Files>
I'd like to configure htaccess to protect the directory as a temporary protection until this is fixed. Can you tell us what our htaccess file should say?
Thanks for all your work!
D
Comment | File | Size | Author |
---|---|---|---|
#12 | 2195947-pantheon-settings-4-4-files-security-2.patch | 4.02 KB | nubeli |
Comments
Comment #1
kreynen CreditAttribution: kreynen commentedPantheon doesn't support .htaccess files http://helpdesk.getpantheon.com/customer/portal/articles/368354
I'm working on a blog post about how to implement the required security in the settings.php file, but was busy with http://wiki.civicrm.org/confluence/display/CRM/Google+Summer+of+Code+-+2014. Still time to get involved helping as a co-mentor with one of the projects targeting new CiviCRM users :)
I'll try to get the step by step instructions posted later tonight.
Comment #2
BrightBoldWe have this same issue with a new CiviCRM Starter Kit installation on Pantheon, so I'll look forward to a settings.php-based fix! Thanks.
Comment #3
upasaka CreditAttribution: upasaka commentedAny update on this?
Comment #4
webskillet CreditAttribution: webskillet commentedSubscribe.
Comment #5
flux423Hoping for an update on this..
Subscribe.
Comment #6
kreynen CreditAttribution: kreynen commentedUnfortunately the fix is a manual process of moving the directories into the private files dir on Pantheon and then adding the paths to those directories to the civicrm.settings.php file with the dynamic binding variable. We've pushed updates to CiviCRM and Drupal into https://www.drupal.org/project/cm_starterkit_moderate last week and have been working through new issues with those updates including another Pantheon specific problem with #2328701: Update to CSS Injector 2.x After Testing 2.x and Upgrade from 1.x to 2.x is Complete.
This isn't a code issue, but a documentation issue. Unfortunately we get very little help documenting these fixes publicly and have a less than ideal working relationship with Pantheon's support team when it comes to CiviCRM related issues.
@soniat recently opened #2322187: Update Setting-Upload Directories Help Message to add a warning so that anyone using CiviCRM on Pantheon is reminded that because of the dynamic bindings they cannot simply configure the paths to the directories there.
A few people have offered to help maintain this distribution, but never follow through. The result is that progress is depends entirely on my free time... which I have very little of these days.
Comment #7
flux423Thank you @kreynen ! We'll take a look.
Comment #8
emilyf CreditAttribution: emilyf commentedHere is what I did:
Open up civicrm.settings.php, do a search in your text editor for "global $civicrm_setting"
Under that, you can add these overrides:
Then proceed to move those directories into your pantheon /files/private/ folder.
I am not on the civi starter kit but I did modify civicrm.settings.php on my pantheon installs to reflect this. I haven't tested extensively yet (double checking uploads, etc), so for those of you looking for an answer on this give it a try and report back if it resolves things for you. You can also reference this civi page if you want more info on overriding other settings: http://wiki.civicrm.org/confluence/display/CRMDOC44/Override+CiviCRM+Set...
Hope that helps.
Comment #9
soniat CreditAttribution: soniat commentedThe code below follows "global $civicrm_setting"
$civicrm_setting['Directory Preferences']['extensionsDir'] = '/srv/bindings/' . $pantheon_conf['pantheon_binding'] . '/code/sites/all/extensions/';
}
} else {
Should it be replaced with your code or added?
Comment #10
emilyf CreditAttribution: emilyf commentedAdd the new code under your existing setting - so in your example, paste the new code on a new line AFTER:
$civicrm_setting['Directory Preferences']['extensionsDir'] = '/srv/bindings/' . $pantheon_conf['pantheon_binding'] . '/code/sites/all/extensions/';
Comment #11
nubeli CreditAttribution: nubeli commentedI've attempted to roll a patch to include this in the templates/CRM/common/civicrm.settings.php.template file such as is done in this issue. I've done it against 4.4.12 but should be similar to all 4.4.x.
Comment #12
nubeli CreditAttribution: nubeli commentedThis patch will work better -- corrects an issue with extensionsURL. Note that this patches the civicrm.settings.php.template file. You can copy and paste the appropriate bits into civicrm.settings.php if needed.
Comment #15
nubeli CreditAttribution: nubeli commented