After upgrading to 220.127.116.11, files uploaded via the upload manager are now given permissions of 0640, rather than 0777 as they were. The problem is that in a shared hosting environment with SuPHP, the uploaded files have an owner and group of myaccount:myaccount, but the webserver runs as the user apache or nobody, so the new permissions of 0640, mean that apache cannot read and serve up the images.
As far as I know, there are two solutions to this problem, one solution given in the accepted answer above is to override lib/Verien/File/Uploader.php and change the chmod on line 219 to 0644 and the mkdir on line 541 to 0755. The alternate solution requires changing the ownership of all files in the webroot to myaccount:webserver, and then setting the guid bit for all directories. This means that all files with 0640 are readable by the webserver and all files created by PHP or upload by FTP continue to have the myaccount:webserver ownership.
I accept that changing uploaded file permissions to prevent them being globally executable makes a lot of sense, but this could have been achieved by a reduction of permissions from 0777 to 0644, not all the way 0640. Surely PCI compliance would have been achieved just by preventing the files from being executable?
As a temporary measure I've implemented the the first solution; overriding the Uploader.php. If Magento plans to release a patch which will put uploaded file permissions to 0644, then I'll leave my override in place. If there is no plan to patch then I'll adjust my servers as I'd rather not have a library override on my systems.
The problem comes about because Magento allows customer uploads of files. If customers can upload files and then execute files because they were globally readable, you are in a world of hurt. It's why I do not see how anyone can possibly feel they are PCI compliant if they are running on a Shared Hosting Plan. Just isn't possible.
As to it being sufficient for making sure that the uploaded files aren't executable, they also have to not be interpretable (php) which brings up the .htaccess file that controls the media directory tree. If you are running nginx and haven't implemented the rules in that file, you are upload hackable. If you have one of those hosting plans where the "common sense" (and I have seen that fallacious term in multiple posts) fix so your media files can be readable by the web server is to remove or modify the media .htaccess file, you are upload hackable. And the first line of attack is a card information passthrough hack on your card gateway scripting.
The release notes for 18.104.22.168 (http://merch.docs.magento.com/ce/user_guide/magento/release-notes-ce-22.214.171.124.html) suggest that the permissioning problem has been fixed. I'll update this thread after I've tested the patch.
"Upload File Permissions
The patch restores less restrictive file permissions (0666 for files and 0777 for directories) as more strict permissions introduced by the original SUPEE-7405 patch cause many merchants not to be able to view uploaded product images, depending on hosting provider configuration."
I just upgraded to Magento 126.96.36.199 and it appears the directories are correct, but when i added a media file, that was set to 640.