In CiviCRM 4.4.4 there was introduced a check if some sensitive directories are downloadable (https://civicrm.org/advisory/civi-sa-2014-001-risk-information-disclosure), which results in security warnings on a BOA system:
Security Warning
The CiviCRM debug log should not be downloadable.Security Warning
Files in the upload directory should not be downloadable.
To prevent access, there should be a rule similar to this in the nginx conf (untested, see http://forum.civicrm.org/index.php?topic=31570.0):
location ~ ^/sites/.*/files/civicrm/(ConfigAndLog|upload|templates_c) {
deny all;
}
I'm not sure if this can be implemented by default, as the civicrm files directory paths can be changed, but to tighten security and get rid of the annoying warnings, a solution would be nice.
Comments
Comment #1
omega8cc CreditAttribution: omega8cc commentedCommitted in http://drupalcode.org/project/octopus.git/commit/56bcb63 (but not in provision yet)
Thanks.