Uploaded files are accessible even if not loggued on

Wikiphil

Hello,

"Files" is a nice feature, but I'm not sure about the security of the uploaded files. In the demo, I've uploaded a file and then close all my browser, then grab the file link in the history. It works?!?
Example: https://demo.itflow.org/uploads/clients/57/0de2aa2390b4dda32d19ccc30eb39f908cab7d8dd433fd645821689958fe97f9Qi.pdf
It is located in the demo site.

Is there a way to secure these accesses?

Regards.

wrongecho

Hey @Wikiphil

This is as expected. All files get a random file name for this reason. I don't really see this as a security issue.

There are ways around this, including writing our own file handler (like we do for sharing links), or if we were using something like S3 you can have time limited access links. Some sites do this, many don't.

Wikiphil

Ok, sounds good. But, if the files contain something private, it is preferable to protect them from anyone on the Internet.

I found a way to protect the files from Apache2 configuration. I added the following in my site configuration:

<Directory /var/www/html/uploads>
SetEnvIfNoCase Cookie PHPSESSID=.* PASS=1
AuthType Basic
AuthName "FORBIDDEN AREA"
Require valid-user
#Allow valid-user Order Deny,Allow Deny from all Allow from env=PASS Satisfy any

</Directory>

It works fine on my side.

wrongecho

Respectfully, checking for the presence of the session cookie (but not it's validity or content) isn't really much protection as anyone can set cookies of any value.

This may also break the invoicing guest view page, not sure.