CiviCRM Community Forums (archive)

*

News:

Have a question about CiviCRM?
Get it answered quickly at the new
CiviCRM Stack Exchange Q+A site
This forum was archived on 25 November 2017. Learn more.
How to get involved.
What to do if you think you've found a bug.



  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Broken Contact Images in 4.4.13, a .htaccess fix?
Pages: [1]

Author Topic: Broken Contact Images in 4.4.13, a .htaccess fix?  (Read 1019 times)

CiviTeacher.com

  • I live on this forum
  • *****
  • Posts: 1282
  • Karma: 118
    • CiviTeacher
  • CiviCRM version: 3.4 - 4.5
  • CMS version: Drupal 6&7, Wordpress
  • MySQL version: 5.1 - 5.5
  • PHP version: 5.2 - 5.4
Broken Contact Images in 4.4.13, a .htaccess fix?
March 09, 2015, 11:37:38 am
In 4.4.13 Contact images are not working due to a 403 (Forbidden) error.
Quote
Warning: getimagesize(https://site.org/sites/default/files/civicrm/custom/image_5ffe242f47046cc5b302714f92d4155e.jpg)

Quote
/sites/default/files/civicrm/custom/.htaccess

I changed it to contain:

Code: [Select]
<Files ~ "\.(jpg|jpeg|png|gif)$">
   order deny,allow
   allow from all
</Files>

Anyone see a problem with this?  Or is there a better solution to allow images to be seen?
« Last Edit: March 10, 2015, 04:06:35 pm by CiviTeacher.com »
Try CiviTeacher: the online video tutorial CiviCRM learning library.

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
Re: Broken Contact Images in 4.4.13, a .htaccess fix?
March 10, 2015, 03:54:31 pm
See https://civicrm.org/advisory/civi-sa-2014-001-risk-information-disclosure which indicates the probable intentions of that .htaccess

I'm not sure about "custom" (it's not mentioned in that SA, and I find the names of the three or four upload folders unclear - CiviCRM has "custom", "upload", "images" and maybe something else, while Drupal uses clearer terminology "public" and "private"). It may be you don't need the .htaccess there at all, but it must have come from somewhere?

Adding .htaccess to these directories doesn't seem to have come in with the SA, but may have been a later addition which relates to same. The .htaccess may also have been added by your sysadmin thinking that "custom" is a private directory. Depending on your use of CiviCRM files, it may actually be.

For example, I've observed sites which used file attachments for both user avatars (public, probably) and staff documents (private, certainly). Since CiviCRM doesn't (?) permit sites to configure public or private per file, you need to apply your own document security process on a site-wide basis.
@xurizaemon ● www.fuzion.co.nz

CiviTeacher.com

  • I live on this forum
  • *****
  • Posts: 1282
  • Karma: 118
    • CiviTeacher
  • CiviCRM version: 3.4 - 4.5
  • CMS version: Drupal 6&7, Wordpress
  • MySQL version: 5.1 - 5.5
  • PHP version: 5.2 - 5.4
Re: Broken Contact Images in 4.4.13, a .htaccess fix?
March 10, 2015, 04:04:33 pm
Thanks!

The .htaccess file was added by CiviCRM 4.4 or a prior version, not a human.  And the fact that CiviCRM gives me a warning about access to this directory lets me know that Civi knows what it's looking for and it's worried when I changed the .htaccess to allow gif|jpg etc images.

Any thoughts?
« Last Edit: March 10, 2015, 04:06:06 pm by CiviTeacher.com »
Try CiviTeacher: the online video tutorial CiviCRM learning library.

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
Re: Broken Contact Images in 4.4.13, a .htaccess fix?
March 10, 2015, 06:18:27 pm
Looks like you're looking at https://issues.civicrm.org/jira/browse/CRM-14499 / https://issues.civicrm.org/jira/browse/CRM-15896

CRM_Utils_File::restrictAccess() installs those files.

CRM_Core_Config_Defaults::setValues() looks like the only call of that directed at "$customDIR" (which I'm going to assume is sites/default/files/civicrm/custom here, but those names get used confusingly sometimes, eg "uploadDir" is "customFileUploadDir" or something).
@xurizaemon ● www.fuzion.co.nz

CiviTeacher.com

  • I live on this forum
  • *****
  • Posts: 1282
  • Karma: 118
    • CiviTeacher
  • CiviCRM version: 3.4 - 4.5
  • CMS version: Drupal 6&7, Wordpress
  • MySQL version: 5.1 - 5.5
  • PHP version: 5.2 - 5.4
Re: Broken Contact Images in 4.4.13, a .htaccess fix?
March 11, 2015, 03:35:55 pm
I have identified the issue.  Images uploaded in version 4.2 and prior retain the "old style" URL that is blocked by the new .htaccess file in 4.4.  Thus, this is separate bug relating to updating image paths in the 4.2 > 4.4 upgrade process.  I've added a comment here.

https://issues.civicrm.org/jira/browse/CRM-15897
Try CiviTeacher: the online video tutorial CiviCRM learning library.

Chris Burgess

  • Ask me questions
  • ****
  • Posts: 675
  • Karma: 59
Re: Broken Contact Images in 4.4.13, a .htaccess fix?
March 11, 2015, 06:18:36 pm
Awesome, thanks for that! Good luck getting it sorted.

Reflected on how I find the naming / references to those directories a bit confusing and decided to try and collect their meanings in one place (maybe it should be wiki'd, but having to wiki documentation smells to me of a UX bug).

configAndLogDir
  • set via: settings.php CIVICRM_TEMPLATE_COMPILEDIR s/templates_c/ConfigAndLog/
  • example path: sites/default/files/civicrm/ConfigAndLog
  • recommendation: Prohibit all web access
  • documentation: (don't see any in civicrm.settings.php)


imageUploadDir
  • set via: "Images" at civicrm/admin/setting/path
  • example path: sites/default/files/civicrm/persist/contribute
  • recommendation: Prohibit directory browsing
  • documentation (from admin settings page):  "File system path where temporary CiviCRM files - such as import data files - are uploaded. File system path where image files are uploaded. Currently, this path is used for images associated with premiums (CiviContribute thank-you gifts)."

templateCompileDir
  • set via: settings.php CIVICRM_TEMPLATE_COMPILEDIR
  • example path: sites/default/files/civicrm/templates_c
  • recommendation: Prohibit all web access
  • documentation (from civicrm.settings.php): CIVICRM_TEMPLATE_COMPILEDIR is the file system path where compiled templates are stored. These sub-directories and files are temporary caches and will be recreated automatically if deleted.

uploadDir
  • set via: "Temporary files" at civicrm/admin/setting/path
  • example path: sites/default/files/civicrm/upload
  • recommendation: Prohibit all web access
  • documentation  (from admin settings page):  " File system path where temporary CiviCRM files - such as import data files - are uploaded. "

customFileUploadDir
  • set via: "Custom Files" at civicrm/admin/setting/path
  • example path: sites/default/files/civicrm/custom
  • no recommendation given in CIVI-SA-2014-001
  • documentation  (from admin settings page): " Path where documents and images which are attachments to contact records are stored (e.g. contact photos, resumes, contracts, etc.). These attachments are defined using 'file' type custom fields. "
@xurizaemon ● www.fuzion.co.nz
Pages: [1]
  • CiviCRM Community Forums (archive) »
  • Old sections (read-only, deprecated) »
  • Support »
  • Using CiviCRM »
  • Post-installation Setup and Configuration (Moderator: Dave Greenberg) »
  • Broken Contact Images in 4.4.13, a .htaccess fix?

This forum was archived on 2017-11-26.