After installing the SUPEE 7405 patch, we noticed a problem uploading images from the admin. All file permissions are being set to CHMOD 640 which makes them inaccessible to all users.
Is there a solution that does not involve rewriting the /lib/Varien/File/Uploader.php file?
A new version of SUPEE-7405 has been released that resolves this issue:
http://magento.com/security/patches/supee-7405
Updated February 23, 2016
Updated versions of this release are now available. The updates add support for PHP 5.3 and address issues with upload file permissions, merging carts, and SOAP APIs experienced with the original release.
Note that even without the revised patch, you can fix the issue by using the recommended file permissions (see below).
Magento expects the webserver to own the site files:
http://devdocs.magento.com/guides/m1x/install/installer-privileges_after.html#privs-after
You can resolve this problem by making the webserver the owner of the files.
chown -R web-server-user-name magento/root/path
The webserver user name is commonly www-data or apache.
If you follow the instructions in the above link, the webserver will have read access to all files, and write access to media files and var files. This should be all you need for typical site operation. If you need to use Magento Connect you'll have to temporarily give the webserver write access to all files.
All file permissions are being set to CHMOD 640 which makes them inaccessible to all users.
Only the webserver user needs access to the files. There is no need to grant any permissions to all users.
You may want to grant access to a specific user if, for example, you need to edit or upload files via FTP. In this case, what I do is set a user who owns the file system and set the files' group to the webserver:
cd magento/root/directory
# Set ownership
# 'username' should be the file system owner username
# 'webserver' should be the webserver username
chown -R username:webserver .
# Give the user read/write access to all files.
# Give the webserver read access to all files
find . -type f -exec chmod 640 {} \;
find . -type d -exec chmod 2750 {} \;
# Give the user and the webserver read/write access to var and media
find var/ -type f -exec chmod 660 {} \;
find media/ -type f -exec chmod 660 {} \;
find var/ -type d -exec chmod 2770 {} \;
find media/ -type d -exec chmod 2770 {} \;
chmod 2770 includes
chmod 660 includes/config.php
The above commands will give your file system owner read/write access to everything and the webserver read access to everything. The webserver will also be able to write to the media and var directories.
We've solved the issue for our environments, however, I'm not sure how much help this will be for everyone else. Even though I'm not a network engineer, I will try to explain it. If enough people find this post helpful, I'll mark it as correct. Also, please note that even though the issue arose from Magento's SUPEE 7405 patch, the solution is Network based, not code based.
I believe the purpose of the chmod alteration in the patch was to prevent hackers from hijacking your images and storing sensitive data within them (the checkout header image hack for example). To prevent this hack, they limit all access to uploaded files/images via chmod 640.
With that said...
The latest patch to Magento 1.X seems to require an environment configuration change. As one of our network engineers said, they assume we are using Apache with mod_php, which reads and writes all files as the Apache user. However, if you are using fcgi or suphp, the files would be written as the domain user. Depending on your environment, you may need to add Apache to your groups and allow it to read the files.
Try the chown -R solution first, and if that doesn't work you may need to contact your host or add Apache to your "groups" so that it has owner access.
Please go on this file
lib/Varien/File/Uploader.php
and just change line no 220 and change chmod($destinationFile, 0640) to chmod($destinationFile, 0644)
It's working.
The accepted answer is a good solution.
If you are unable to change the ownership (maybe because you are on a shared server) you can run cron jobs to change file permission on the newly uploaded files.
*/3 * * * * find /path/to/magento/ -type f -perm 640 -exec chmod 644 {} \;
*/3 * * * * find /path/to/magento/ -type d -perm 750 -exec chmod 2755 {} \;
Look at this: https://community.magento.com/t5/Security-Patches/after-installing-SUPEE-7405-can-no-longer-add-or-change-images/td-p/26785/page/3
Changing Upload.php code worked for all my installtions.
To fix existing uploaded images, you need to change ALL existing uploaded images permissions (chmod) from 0640 to 0644.
To fix it for the future, you would need to edit /lib/Varien/File/Uploader.php and change the line from (after applying the patch)
chmod($destinationFile, 0640);
to
chmod($destinationFile, 0644);
There is a similar one for directories that you'll need to change from 0750 to 0755.
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 神经病院院长 的文章《Chmod 640 for uploaded file after SUPEE 7405 patch》','https://www.manongdao.com/article-666823.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}