Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-19860

Using the Legacy layer, static assets are accessible through internal path, and accessible regardless of section

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: High High
    • Resolution: Duplicate
    • Affects Version/s: 5.0.0-dev
    • Component/s: None
    • Labels:
    • Environment:

      Operating System: RHEL 62
      PHP Version: 5.3.3
      Database and version: MySQL 5.1.61
      Browser (and version): Firefox 13

      Description

      The following issue was detected in ezp5, through the Legacy controller.

      If you create an object of, for example, the File class, and upload a file, that file will be publicly accessible through its path inside the var folder (var/ezflow_site/storage/...), regardless of user permissions and the section where said file exists. Using the public path to the content (by, for example, retrieving the link from the object's preview), will always yield access to the content, regardless of the content's section.

      Steps to reproduce:
      1. Create a "File" object and upload a file
      2. Create a new section and assign it to the object
      3. Get the file's regular path from the object's preview, verify that it is accessible.
      4. Logout and try to access the same URL, the file will still be accessible
      5. Find the real path to the file in the filesystem, and type it into your address bar, for example, <site.com>/var/storage... . This file will be accessible.

        Activity

        Hide
        Filipe Dobreira (Inactive) added a comment -

        Issue seems to have been fixed in the meantime.

        Show
        Filipe Dobreira (Inactive) added a comment - Issue seems to have been fixed in the meantime.
        Hide
        Filipe Dobreira (Inactive) added a comment -

        Re-opening this issue, it's reproducible once again.

        The steps are the same as described in the original report above.

        Show
        Filipe Dobreira (Inactive) added a comment - Re-opening this issue, it's reproducible once again. The steps are the same as described in the original report above.
        Hide
        André Rømcke added a comment -

        I assume this is because of Rewrite rules, if so this was fixed yesterday:
        https://github.com/ezsystems/ezpublish5/commit/87be89a60fb81b10e77c5aeccca4049448e02c23

        Show
        André Rømcke added a comment - I assume this is because of Rewrite rules, if so this was fixed yesterday: https://github.com/ezsystems/ezpublish5/commit/87be89a60fb81b10e77c5aeccca4049448e02c23

          People

          • Assignee:
            Unassigned
            Reporter:
            Bertrand Dunogier
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 1 hour
              1h