Security issue: File URLs are easy to guess #9
Comments
|
I have found some glitch that I can not resolve. After installing the extension, I configure the 'controllerMap' => [
'file' => backend\controllers\FileController::class,
],I am using yii2-advanced-template and only expose the backend application. I have my own FileController with accesscontrol. But, even if I remove completely the configuration above, it can still access the file (without authentication), means it has access to the Update #0 public function bootstrap($app)
{
if ($app instanceof \yii\web\Application) {
$app->controllerMap['file'] = __NAMESPACE__ . '\FileController';Do we need another param like <?php
namespace mdm\upload;
/**
* Description of Bootstrap
*
* @author Misbahul D Munir <[email protected]>
* @since 1.0
*/
class Bootstrap implements \yii\base\BootstrapInterface
{
public function bootstrap($app)
{
if (
$app instanceof \yii\web\Application &&
!($app->params['disableFilePublicAccess']) &&
!isset($app->controllerMap['file'])
) {
$app->controllerMap['file'] = __NAMESPACE__ . '\FileController';
}
}
}What is your suggestion? |
|
@mdmunir I implemented a simple approach to generate the uuid field. prabowomurti@0776d6f If you agree to implement it, I would love to ask for a PR. Thank you. |
With the file urls like
http://SERVER.TLD/file?id=123, it's very easy to see any file on the server: you just start with?id=1, and keep incrementing the number for as long as you like. To me, it seems like quite a huge security issue.To work this around, I suggest to use a different identifier for file queries. For example, storing file id as GUID, which is not incremental, might work well.
Also, I think it would be nice to be able to link to the file directly, if it's uploaded to a public place, although if the above were implemented, that would be enough.
The text was updated successfully, but these errors were encountered: