Most CiviCRM deployments manage access to file-attachments using a coarse-grained permission "access uploaded files".
In previous versions of CiviCRM, this access-control mechanism was overly permissive (and only secure in an unrealistically narrow range of use-cases). In newer versions, the permission "access uploaded files" remains a pre-requisite. Additionally, when downloading a file, the URL must include a signed access token. The token is generated by the server, and it provides access to a specific file for a limited time period.
CiviCRM Versions 5.10.2 and earlier
CiviCRM Version 5.10.3 and 5.7.4
Upgrade to the latest CiviCRM version
NOTE: If you have an external integration which constructs URLs for file-attachments, then you may need to update it.
- Updated support for Drupal Views is already included with the latest CiviCRM.
- For other integrations, please use the Attachment.get API. The Attachment.get API provides a backward-compatible and forward-compatible way to determine the attachment's download URL (return=url) or raw content (return=content,mime_type), and it has improved support for transitive permissioning.
Guanhuan Chen of Compucorp for reporting of the issue
Seamus Lee of Australian Greens, Tim Otten of CiviCRM, and Eileen McNuaghton of Wikimedia for fixing the issue.