search

ebess / advanced-nova-media-library

A Laravel Nova field for displaying, creating, updating and ordering a Spatie Media Library model.
591 stars 295 forks source link

🛡️ Protect files and images downloads #396

Closed potsky closed 1 year ago

potsky commented 1 year ago

Problem

Anyone can download any file on any installation without being authenticated 😱

Given that Media IDs are sequential, just go to https://xxx/nova-vendor/ebess/advanced-nova-media-library/download/[0-9]* and download what you want.

Solution

Use UUID, they are use for this at spatie.

I do not replace ID by UUID in this PR because perhaps some users use this actual URL pattern for other cases. So we just need to add the unpredictable UUID of the Media in the query string and check in the Download Controller if the UUID is correct.

Can solve #261

potsky commented 1 year ago

Hi @bkintanar, @ebess,

could you review and merge this small PR if it is ok for you?

It fixes a huge security problem...

Thanx ❤️

potsky commented 1 year ago

Do you think you have time to merge this PR @bkintanar @ebess ?