Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
2015.01
-
N/A
Description
Default installation of ezpublish-community using demobundle and ezdemo ezpackage content which provides selected video content results in 404 errors on default index page.
This is direct result of the ezpublish-kernel not yet providing a new stack (Symfony) based replacement for the content/download module view which is required to abstract the serving of binary file content object content.
This is a temporary problem for both eZ Publish 5.x and eZ Platform.
The 404 errors can be solved today by editing your virtual host configuration mod_rewrite rules and adding the following new rules:
+ # If using default installation of demobundle or linking to uploaded binary file content, you may wish to uncomment the following two lines:
+ # These lines represent a temporary bugfix and also a potential security issue which is documented here: https://jira.ez.no/browse/EZP-24312
+ RewriteRule ^/var/storage/.* - [L]
+ RewriteRule ^/var/[^/]+/storage/.* - [L]
Please realize that by adding these rewrite rules to your website virtual host configuration you are introducing a potential security issue.
The potential security issue is you would be exposing all your var storage directory binary file content (binary files uploaded into eZ Publish) to direct access by anyone (including for example indexing search engines).
The problem is that the demobundle and ezdemo extension provided default content during a default installation make use of binary file content which requires these mod_rewrite rules be in your virtual host configuration ... or a default installation described will generate 404 errors when loading the index page of the default user siteaccess.
Warning! You should not by default use these rules unless you both understand this potential security concern's impact to the security to your website's binary content and absolutely require this feature.
This issue is related to the following issues:
We have addressed this issue in the short term (before the content/download new stack feature replacement is available) with example mod_rewrite rule additions (commented out by default both to ensure default security of var directory content and as an educational documentation reference for all users which wish to use the previously suggested mod_rewrite rules which solves the 404 errors being reported) in the ezpublish-community repository with the following PR:
