albogdano
commented
3 years ago Fixed. When para.is_default_space_public = false is set, uploaded files require authentication, unless you set para.uploads_require_auth = false.
Closed jorgeag68 closed 3 years ago
albogdano
commented
3 years ago Fixed. When para.is_default_space_public = false is set, uploaded files require authentication, unless you set para.uploads_require_auth = false.
jorgeag68
commented
3 years ago Hello. I have the following setting in place. so I think the files should not be visible without authentication.
"# If true, the default space will be accessible by everyone" para.is_default_space_public = false
So, it should work fine,
I don't have this setting on the configuration: para.uploads_require_auth = false
So, is the default false ?? I can try to set it to true to force authentication..
albogdano
commented
3 years ago Yes, that is exactly the idea - if your site is private, all uploads will be accessible by registered and authenticated accounts only. If you log out, you won't be able to access the files. para.uploads_require_auth = true is for the cases where para.is_default_space_public = true (public site) but still you want to protect file uploads. By default, uploads are protected if para.is_default_space_public = false so you won't have to change anything in your configuration.
jorgeag68
commented
3 years ago Correct. That was what I thought. But our tests and our experience show differently. We can still download the files using the direct URL.
I'll do two things .. Upgrade to scoold-pro-1.41.2.jar (I'm still running 1.41.1) . Will check without "para.uploads_require_auth" and with "para.uploads_require_auth = true" and will get back to you.
Note that we use LDAP authentication. Did not mention that before.
albogdano
commented
3 years ago This change is not yet released, please wait for Scoold 1.41.3 or 1.42 to be released which will be today or tomorrow.
jorgeag68
commented
3 years ago ok. I'll wait. Thank you.
jorgeag68
commented
3 years ago Hello. I've received and installed the new pro version 1.42.0.
I've activated the new config: para.uploads_require_auth = true
It seems to work correctly, returning 403 we we try to download a file without being authenticated.
There is a small issue when using the option. It now fails to load our custom_logo with error 403.
Can you fix that?
jorgeag68
commented
3 years ago Also found that some random images are blocked. I've disabled the setting for now. para.uploads_require_auth = false.
albogdano
commented
3 years ago Ok, this will be fixed. Can you tell me exactly which other images are blocked when you log out?
albogdano
commented
3 years ago Fixed!
jorgeag68
commented
3 years ago I'm using now the latest Scoold Pro 1.43.2.
Using: "# Force authentication for uploads directory" para.uploads_require_auth = true
We can still download attachments from the system without authentication.
Example:
wget --header="Referer: https://www.myserver.com/" https://www.myserver.com/upload/files/1616147483070_image.png
albogdano
commented
3 years ago @jorgeag68 Yes, but the downloaded image is a lock icon.
jorgeag68
commented
3 years ago Got it. Thanks.
Uploaded files are accessible on the server without any authentication.
We have mitigated the issue by adding control on our nginx proxy by limiting by http_referer.
In any case a command like this is still possible if the user uses the "Referer:" on the http header.
wget --header="Referer: https://www.myserver.com/" https://www.myserver.com/upload/files/1264547974638211072_test.json