The File (Field) Paths module extends the default functionality of Drupal's core File module, by adding the ability to use entity-based tokens in destination paths and file names.
The module's default configuration could temporarily expose private files to anonymous visitors.
Important note: to fix the problem, database updates must be run in addition to updating the module.
It's possible to make a configuration change to mitigate this problem in the admin UI at /admin/config/media/file-system/filefield-paths - the temp file location should use either the temporary:// or private:// stream wrapper if uploaded files should not be exposed publicly.
This vulnerability is mitigated by the fact that an attacker must be able to guess the temporary path used for file upload.
Install the latest version:
- If you use the File (Field) Paths module for Drupal 7.x, upgrade to File (Field) Paths 7.x-1.2
- Hayato Goto
- Drew Webber of the Drupal Security Team
- Steve Bink
- Hayato Goto
- David Snopek of the Drupal Security Team
- Vijay Mani provisional member of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Oleh Vehera
- Damien McKenna of the Drupal Security Team
- David Snopek of the Drupal Security Team
- Drew Webber of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
