YunoHost-Apps / lutim_ynh

Lutim package for YunoHost
https://lut.im
GNU General Public License v3.0
5 stars 7 forks source link

Anyone can upload images using mobile apps? #17

Closed scith closed 7 years ago

scith commented 7 years ago

Hello, I have just installed a private instance of Lutim. When trying to use Lutim with its mobiel app http://www.gobl.im/, it allowed me to upload an image to my server without having to provide any login/password. The picture was available online and I could not find it in the "my images" page of any of my accounts. Is this the standard behavior or is it a bug?

Thanks

maniackcrudelis commented 7 years ago

Nice app ! I didn't know it

So, of course no, it's not the expected behavior. But, after install this app on my phone, I see I have nothing in my nginx log. But if you take a look at the lutim log (/var/log/lutim/production.log), you can see an entry like this:

[CREATION] 192.168.1.52 remote port:53280 pushed DSC_0104.JPG (path: files/nQyqaZSi.JPG)

Of course, this port is closed on my server. On a second test, it uses the port 53383 throught my router (I use 4G for this test).

I think it doesn't open a port on the server, but on the phone. But even like that, how can they communicate first... ?

maniackcrudelis commented 7 years ago

OK, found... A stupid error....

You can't access to /lutim/ but you can access to /lutim...

maniackcrudelis commented 7 years ago

OK, I gonna fix that. But, that will break this wonderful app if your app is not public...

maniackcrudelis commented 7 years ago

Fixed by https://github.com/YunoHost-Apps/lutim_ynh/commit/c238e68ba9c7996cbbf50ba422d4d3b5be7ae3b4

ldidry commented 7 years ago

@scith The "my images" page works only on the browser you uploaded the images with (it uses localStorage) => standard behavior of Lutim. (Goblim keeps informations about the uploaded images, allowing you to delete/reshare them) For the "I can upload with Goblim even if my lutim is suppposed to be protected", @maniackcrudelis dealed with it.

scith commented 7 years ago

@ldidry Thanks, I see. We are thinking with @maniackcrudelis about a way to circumvent this problem, which is common to all apps protected behind SSO and having mobile applications. To be continued here: https://dev.yunohost.org/issues/905 :)

ldidry commented 7 years ago

Lutim will have ldap authentification, when I'll have the time to backport that feature from lstu