Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue: File URLs are easy to guess #9

Open
rimas-kudelis opened this issue Oct 26, 2015 · 2 comments
Open

Security issue: File URLs are easy to guess #9

rimas-kudelis opened this issue Oct 26, 2015 · 2 comments

Comments

@rimas-kudelis
Copy link
Contributor

With the file urls like http://SERVER.TLD/file?id=123, it's very easy to see any file on the server: you just start with ?id=1, and keep incrementing the number for as long as you like. To me, it seems like quite a huge security issue.

To work this around, I suggest to use a different identifier for file queries. For example, storing file id as GUID, which is not incremental, might work well.

Also, I think it would be nice to be able to link to the file directly, if it's uploaded to a public place, although if the above were implemented, that would be enough.

@prabowomurti
Copy link

prabowomurti commented Sep 13, 2023

I have found some glitch that I can not resolve. After installing the extension, I configure the controllerMap as follow

'controllerMap' => [
        'file' => backend\controllers\FileController::class,
],

I am using yii2-advanced-template and only expose the backend application. I have my own FileController with accesscontrol. But, even if I remove completely the configuration above, it can still access the file (without authentication), means it has access to the \mdm\upload\FileController (?).

Update #0
I just realized it always load the Bootstrap class and set the controllerMap['file'] to \mdm\upload\FileController, no matter I set the controllerMap['file'] value.

    public function bootstrap($app)
    {
        if ($app instanceof \yii\web\Application) {
            $app->controllerMap['file'] = __NAMESPACE__ . '\FileController';

Do we need another param like disableFilePublicAccess?

<?php

namespace mdm\upload;

/**
 * Description of Bootstrap
 *
 * @author Misbahul D Munir <[email protected]>
 * @since 1.0
 */
class Bootstrap implements \yii\base\BootstrapInterface
{

    public function bootstrap($app)
    {
        if (
            $app instanceof \yii\web\Application &&
            !($app->params['disableFilePublicAccess']) &&
            !isset($app->controllerMap['file'])
        ) {
            $app->controllerMap['file'] = __NAMESPACE__ . '\FileController';
        }
    }
}

What is your suggestion?

@prabowomurti
Copy link

@mdmunir I implemented a simple approach to generate the uuid field. prabowomurti@0776d6f

If you agree to implement it, I would love to ask for a PR. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants