<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
so the security on the folder is working, but are contact images
working for you? I think that if you add a contact image, then you
will get a broken image on the contact like this:<br>
<img src="cid:part1.06070504.02000207@libertus.co.uk" alt=""><br>
<br>
because the url to the image is a direct link into the storage
directory.<br>
<br>
Alan.<br>
<br>
<br>
<div class="moz-cite-prefix">On 07/03/15 14:17, Uma S wrote:<br>
</div>
<blockquote
cite="mid:CAH83UoKTBGyQw9PYckOdgLBXoxtMYpkj9z_Mwh5XMeyEB04wqA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Alan,
<div><br>
</div>
<div>We are not able to reproduce this issue locally, where
access to storage folder throws permission denied error
screen-shot has been attached.</div>
<div><br>
</div>
<div>Please let us know if any particular test-case need to
followed to reproduce the issue?</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Mar 6, 2015 at 7:38 PM, Alan
Bell <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:alan.bell@libertus.co.uk" target="_blank">alan.bell@libertus.co.uk</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi all, <br>
<br>
in vtiger 6.2 there is a new .htaccess file in <i><span>/</span>storage<span>/</span></i>.htaccess
containing "deny from all" <br>
<br>
this is a good thing, people shouldn't be able to browse
or access files directly from the storage directory
without logging on, but it breaks the way contact and
product images are served up as these are linked directly
to the storage directory. If your contact images are
broken, then great, you have a reasonably secure system.
If contact images display then you will find that going in
a browser to <a moz-do-not-send="true"
href="http://myvtigerhost/myvtigerpath/storage"
target="_blank">http://myvtigerhost/myvtigerpath/storage</a>
will reveal all your attachments without needing to log on
- this is bad. <br>
Whatever version of vtiger you are using, direct access to
the storage directory is a very bad thing. You should
block this with a .htaccess file and ensure that your
apache configuration allows the htaccess to override (by
default on Ubuntu it won't) or add in the apache
configuration something like <br>
<br>
<Directory /var/www/vtiger/storage> <br>
AllowOverride All <br>
</Directory> <br>
<br>
or, don't bother with the .htaccess file and just deny it
in the apache configuration with: <br>
<br>
<Directory /var/www/vtiger/storage> <br>
deny from all <br>
</Directory> <br>
<br>
to fix your contact/product images after you have
successfully broken them there is a good looking
suggestion here that I haven't tried out yet. <br>
<a moz-do-not-send="true"
href="http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2"
target="_blank">http://stackoverflow.com/questions/28316322/the-photos-dont-appear-after-an-update-to-vtiger-6-2</a>
<br>
<span class="HOEnZb"><font color="#888888"> <br>
Alan. </font></span></div>
<br>
_______________________________________________<br>
<a moz-do-not-send="true" href="http://www.vtiger.com/"
target="_blank">http://www.vtiger.com/</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature">
<div dir="ltr">With<br>
Best Regards<br>
Uma.S<br>
<div>Vtiger Team</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a></pre>
</blockquote>
<br>
</body>
</html>