the issue is within the /public/legacy/.htaccess file:
If you change it from:
RedirectMatch 403 (?i)/+upload
to:
RedirectMatch 403 (?i)/+upload/$
(allow images within the folder, but not the folder itself)
or comment this one out entirely:
# RedirectMatch 403 (?i)/+upload/$
(allow all access to the upload directory)
However, one would have to contemplate the security implications about this.
The upload folder contains an index.html with content that doesn’t give away much.
If one can guess IDs / paths of contents, this is they way to make it publicly accessible - so careful with this approach.
