- 🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)
Not sure if this was ever addressed as part of another issue, but closed as outdated, there should not be any D6 to D7 migrations at this point.
Previously posted by David Rothstein in the private security tracker:
I noticed that when upgrading from D6 to D7 the "view uploaded files" permission goes away completely, with nothing to replace it.
Thus, files which were previously private suddenly become visible to everyone during the D6 to D7 upgrade (when they are converted from the Upload module to file fields). Presumably the only way to fix that would be for the site to install/configure the Field Permissions module, but there is no warning or notification whatsoever about that.
The security team has decided that this should be handled in public as there is not much we can do in Drupal 7 core to "fix" this issue.
Closed: outdated
7.0 ⚰️
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Not sure if this was ever addressed as part of another issue, but closed as outdated, there should not be any D6 to D7 migrations at this point.