-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue: File URLs are easy to guess #9
Comments
I have found some glitch that I can not resolve. After installing the extension, I configure the 'controllerMap' => [
'file' => backend\controllers\FileController::class,
], I am using yii2-advanced-template and only expose the backend application. I have my own FileController with accesscontrol. But, even if I remove completely the configuration above, it can still access the file (without authentication), means it has access to the Update #0 public function bootstrap($app)
{
if ($app instanceof \yii\web\Application) {
$app->controllerMap['file'] = __NAMESPACE__ . '\FileController'; Do we need another param like <?php
namespace mdm\upload;
/**
* Description of Bootstrap
*
* @author Misbahul D Munir <[email protected]>
* @since 1.0
*/
class Bootstrap implements \yii\base\BootstrapInterface
{
public function bootstrap($app)
{
if (
$app instanceof \yii\web\Application &&
!($app->params['disableFilePublicAccess']) &&
!isset($app->controllerMap['file'])
) {
$app->controllerMap['file'] = __NAMESPACE__ . '\FileController';
}
}
} What is your suggestion? |
@mdmunir I implemented a simple approach to generate the uuid field. prabowomurti@0776d6f If you agree to implement it, I would love to ask for a PR. Thank you. |
With the file urls like
http://SERVER.TLD/file?id=123
, it's very easy to see any file on the server: you just start with?id=1
, and keep incrementing the number for as long as you like. To me, it seems like quite a huge security issue.To work this around, I suggest to use a different identifier for file queries. For example, storing file id as GUID, which is not incremental, might work well.
Also, I think it would be nice to be able to link to the file directly, if it's uploaded to a public place, although if the above were implemented, that would be enough.
The text was updated successfully, but these errors were encountered: