Affected versions: ezsystems/ezplatform v1.13.6, v2.5.24, ibexa/post-install v1.0.4
Resolving versions: ezsystems/ezplatform v184.108.40.206, v220.127.116.11, ibexa/post-install v18.104.22.168
This Security Advisory is about a vulnerability when using Ibexa DXP on platform.sh. The default configuration for platform.sh (.platform.app.yaml) allows access to uploaded files if you know or can guess their location, regardless of whether roles grant content read access to the content containing those files. If you're using Legacy Bridge, the default configuration also allows access to certain legacy files that should not be readable, including the legacy var directory and extension directories. Our default Apache/Nginx vhost files sets these permissions correctly, but platform.sh doesn't use those files, as it has its own configuration.
The advisory fixes this with deny-by-default in the web directory, only allowing specific files and subdirectories as needed. This means the fix has to be adapted to your needs. Make sure you apply the changes to your active .platform.app.yaml file. If your installation includes custom web-subdirectories that should be readable, you have to add allow statements for them. We strongly recommend that you install this update as soon as possible.
Please make sure you read and understand the web.locations section of .platform.app.yaml and how it affects your installation.
Please note that on v3.3, the change will not take effect unless you run composer install again, as the files are located among the post-install resources. Either rerun the install, or copy the web.locations section from resources/platformsh/ibexa-commerce/*/.platform.app.yaml to your active .platform.app.yaml file, and adapt it to your needs.
Have you found a security bug in Ibexa DXP? See how to report it responsibly here: https://doc.ibexa.co/en/latest/guide/reporting_issues/