Security warning from Civi re exposed "files" directory

Pantheon doesn't support .htaccess files http://helpdesk.getpantheon.com/customer/portal/articles/368354

I'm working on a blog post about how to implement the required security in the settings.php file, but was busy with http://wiki.civicrm.org/confluence/display/CRM/Google+Summer+of+Code+-+2014. Still time to get involved helping as a co-mentor with one of the projects targeting new CiviCRM users :)

I'll try to get the step by step instructions posted later tonight.

We have this same issue with a new CiviCRM Starter Kit installation on Pantheon, so I'll look forward to a settings.php-based fix! Thanks.

Any update on this?

Subscribe.

Hoping for an update on this..
Subscribe.

Unfortunately the fix is a manual process of moving the directories into the private files dir on Pantheon and then adding the paths to those directories to the civicrm.settings.php file with the dynamic binding variable. We've pushed updates to CiviCRM and Drupal into https://www.drupal.org/project/cm_starterkit_moderate last week and have been working through new issues with those updates including another Pantheon specific problem with #2328701: Update to CSS Injector 2.x After Testing 2.x and Upgrade from 1.x to 2.x is Complete.

This isn't a code issue, but a documentation issue. Unfortunately we get very little help documenting these fixes publicly and have a less than ideal working relationship with Pantheon's support team when it comes to CiviCRM related issues.

@soniat recently opened #2322187: Update Setting-Upload Directories Help Message to add a warning so that anyone using CiviCRM on Pantheon is reminded that because of the dynamic bindings they cannot simply configure the paths to the directories there.

A few people have offered to help maintain this distribution, but never follow through. The result is that progress is depends entirely on my free time... which I have very little of these days.

Thank you @kreynen ! We'll take a look.

Here is what I did:

Open up civicrm.settings.php, do a search in your text editor for "global $civicrm_setting"

Under that, you can add these overrides:

$civicrm_setting['Directory Preferences']['uploadDir'] = '/srv/bindings/' . $pantheon_conf['pantheon_binding'] . '/files/private/upload/';

$civicrm_setting['Directory Preferences']['customFileUploadDir'] = '/srv/bindings/' . $pantheon_conf['pantheon_binding'] . '/files/private/custom/';

Then proceed to move those directories into your pantheon /files/private/ folder.

I am not on the civi starter kit but I did modify civicrm.settings.php on my pantheon installs to reflect this. I haven't tested extensively yet (double checking uploads, etc), so for those of you looking for an answer on this give it a try and report back if it resolves things for you. You can also reference this civi page if you want more info on overriding other settings: http://wiki.civicrm.org/confluence/display/CRMDOC44/Override+CiviCRM+Set...
Hope that helps.

The code below follows "global $civicrm_setting"

$civicrm_setting['Directory Preferences']['extensionsDir'] = '/srv/bindings/' . $pantheon_conf['pantheon_binding'] . '/code/sites/all/extensions/';
}
} else {

Should it be replaced with your code or added?

Add the new code under your existing setting - so in your example, paste the new code on a new line AFTER:

$civicrm_setting['Directory Preferences']['extensionsDir'] = '/srv/bindings/' . $pantheon_conf['pantheon_binding'] . '/code/sites/all/extensions/';

I've attempted to roll a patch to include this in the templates/CRM/common/civicrm.settings.php.template file such as is done in this issue. I've done it against 4.4.12 but should be similar to all 4.4.x.

This patch will work better -- corrects an issue with extensionsURL. Note that this patches the civicrm.settings.php.template file. You can copy and paste the appropriate bits into civicrm.settings.php if needed.