After enabling hosting_civicrm and running provision-verify on my CiviCRM site, this warning message appears upon login:

Avertissement de sécurité
Files in the data directory (/var/aegir/platforms/drupal743-civicrm/sites/foo/files/civicrm/custom/) should not be downloadable.
Read more about this warning

It refers to the following URL for more information:
http://wiki.civicrm.org/confluence/display/CRMDOC/checkUploadsAreNotAcce...

Comments

lavamind created an issue. See original summary.

helmo’s picture

helmo commented
Status: Active » Needs review

The 'custom' dir is mentioned in drush/verify.provision.inc where allow might have to be changed to deny.

helmo’s picture

helmo commented

#2155445: 403 Forbidden in Ubuntu Saucy might be relevant here, to update apache config to 2.4

bgm’s picture

bgm commented

Related issue that should be fixed at the same time: we should use "*" in the Directory directives, otherwise someone could access the files from a vhost from another vhost in the same platform.

  • bgm committed bfa3ad6 on 7.x-3.x 
    Issue #2702365: Do not allow access to civicrm/custom directory.
gboudrias’s picture

gboudrias commented
Status: Needs review » Reviewed & tested by the community

Same problem, patch works for me.

ergonlogic’s picture

ergonlogic
he/him
Primary language English
Location Montréal, Québec 🇨🇦
commented

I can also confirm that the commit above works well. Let's try to get a release out with this included prior to Aegir 3.7, so that it gets included.

helmo’s picture

helmo commented
Status: Reviewed & tested by the community » Fixed

As it's already committed I think this deserves the fixed status. I'll create a release here just before doing #2754709: [meta] 3.7 release (bugfix/patches)

bgm’s picture

bgm commented

indeed, thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.