havenweb / haven

Self-hostable private blogging
https://havenweb.org
MIT License
650 stars 33 forks source link

The picture link can read pictures without logins #87

Closed ma-ruifeng closed 6 months ago

ma-ruifeng commented 6 months ago

My post: Screenshot_2024-05-09-01-35-40-31_40deb401b9ffe8e1df2f1cc5ba480b12

The Pic link can be readed without login

mawise commented 6 months ago

Haven generates new image links each time a page loads. Those links contain temporary credentials which expire. The way an image could leak this way would be for someone with access to get a link, and give it to someone else immediately for the other person to use without delay. However in this case, the person with existing access could just as easily download the image and give it to someone else.

The link you pasted currently returns an error message:

<Code>AccessDenied</Code>
<Message>Request has expired</Message>

Thanks for being security focused, and please let me know if you think there is an issue with the approach I take here!