search

HaschekSolutions / pictshare

:camera: PictShare is an open source image, mp4, pastebin hosting service with a simple resizing and upload API that you can host yourself. :rice_scene:
https://www.pictshare.net
Apache License 2.0
819 stars 123 forks source link

csv files in /data are accessible #103

Closed thomasdeurloo closed 4 years ago

thomasdeurloo commented 4 years ago

Hi,

The folder "data" contains the sha1.csv which is containing the hashes. My folder is also containing a file called "uploads.csv" containing the logged uploads.. (I assume that the presence of this file is dependend on the parameter to log uploads). The csv files are publicly accessible to everyone. So if one knows that this system is used, he can request a full overview of the sha1 hashes, and in case of the logged uploads also the ipadresses.

To prevent this i created an .htacces file in the data folder containing

<FilesMatch "\.(php|pl|py|jsp|exe|flv|csv|asp|htm|shtml|sh|cgi)$">
Deny from All
</FilesMatch>

Which is blocking access to requests on csv files (as well as some others then uploaded content, just to be sure). Is this the best way of doing this?

geek-at commented 4 years ago

Thanks, will add it to the nginx config

In the install example I use this as the default:

location ~ /(data|tmp|bin|content-controllers|inc|interfaces|storage-controllers|templates|tools) { deny all; return 404; }