Access Denied in v4.5.92

  • Resolved mitrax

    (@mitrax)


    2 years, 11 months ago

    There’s still an similar issue described in this topic

    Namely, if (for security reasons) files are located OUTSIDE the website root and NOT in the wp-content folder, they cannot be downloaded – an “Access Denied” error appears. The website has access to this folder, so absolute path need to be supported as it did in the all previous versions.

    For example, if the WP installation is at the location:

    “/var/www/example.com/htdocs”

    and files are located at the location:

    “/var/www/example.com/private/files”

    in case that a file “/var/www/example.com/private/files/sample-download.zip” need to be downloaded the error appears.

    Please notice that this absolute path logic works for product downloads in WooCommerce, so there’s no reason for removing it from Download Monitor. The security regarding accessing this folder should be handled on the server level, not in the module itself.

    Also, I kindly ask you to mark breaking backward compatibility in the change logs in the future.

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hey @mitrax ,

    This situation has also been taken into consideration, that is why we introduced a new setting in the Settings > Advanced > Miscellaneous tab. Documentation for the setting can be found here. Please be advised, before modifying that setting do a backup of the database.

    Warmly,
    Razvan

    Thread Starter mitrax

    (@mitrax)

    You’ve just killed the only reason why we use Download Monitor for our and client’s websites.

    It’s not about the single download path, it’s about different paths per different downloads.

    As I mentioned in the previous post, even WooCommerce itself allows different paths per product and they are very aware of the implications. We also consider security seriously, that’s why our downloadable files are not present in the wordpress but on different locations.

    It would be great if you created e.g. checkbox “Allow absolute path” per each downloads.

    Otherwise, we’ll be forced to abandon the plugin completely.

    Hello,

    The behavior you are trying to accomplish can be reached if you modify the setting mentioned before. You do not have to enter the file’s specific directory, you could enter a parent directory and all the child directories paths will be available. As the example in the documentation said, if you have /var/www/example.com/htdocs and you specify in the new setting that the addition path will be just /var/www/example.com/, all files contained in the directories that are contained in the said directory will be available for download ( including private/files/ or other directories that are present ). Again, as this is very important, please do a backup of the database if you are going to modify that setting.

    Also, we’ll investigate the info you gave about how WooCommerce handles this and we’ll try to come with an update on how we handle this.

    Warmly,
    Razvan

    • This reply was modified 2 years, 11 months ago by Razvan Aldea.
    Thread Starter mitrax

    (@mitrax)

    Yes, you’re right! I’ve researched the code and also tested. It works with subfolders. It’s enough for now. Drupal handles the “private” folders in similar way, the only difference is the path needs to be added into the config file.

    In the meantime, take a look at WooCommerce, as you said.
    Thanks

    Thread Starter mitrax

    (@mitrax)

    WooCommerce has just added new feature called “Approved Download Directories” and it works great. You can take a look HERE

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Access Denied in v4.5.92’ is closed to new replies.