- πΈπ°Slovakia poker10
It seems like this was fixed in #3016814: Don't trigger hook_file_download when no file is requested β . On clean Drupal 10.1.x-dev I get 404 even on existing private directories (or the steps to reproduce are incomplete).
This issue has been approved for public posting by the Drupal security team.
Original issue #167207 in the team tracker
Report by: Rob Bayliss (rbayliss)
https://www.drupal.org/user/772738 β
The patch was written by mrossi113 while working for the Commonwealth of Massachusetts.
Drupal core module has an information disclosure vulnerability. An attacker can verify the names of directories in the private file system.
You can see this vulnerability by:
1. Setting up the private filesystem.
2. Creating a directory within the private filesystem "foo"
3. Visiting "/system/files/foo" in your browser.
4. Observe a 500 error, where you get a 404 for any directory that does not exist.
In terms of impact, xjm commented:
If this is also true of subdirectories, there are theoretical scenarios for info disclosure if a site is structuring its file uploads with named subdirectories. E.g., a site might have sites/default/files/promotions/2021 or sites/default/files/clients/secret_clientname. Based on that, this is an issue worth fixing.
This patch was written by mrossi113 while working for the Commonwealth of Massachusetts.
Write a test
Closed: duplicate
10.1 β¨
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
It seems like this was fixed in #3016814: Don't trigger hook_file_download when no file is requested β . On clean Drupal 10.1.x-dev I get 404 even on existing private directories (or the steps to reproduce are incomplete).