jfcherng
commented
3 years ago It's logically conflicting. There is no different between the Office/Google agent and an anonymous person.
As long as you are not turning on the "directory listing" feature on your server (apache/nginx etc), I don't think files under the plugins/cloudview/temp/ directory can be "guessed". But there do is a concern that, if the authorized user uses a malware browser, the browser may log/leak the URL.
I force adding an index.html in every directory via https://github.com/jfcherng-roundcube/plugin-cloudview/blob/a757d91480a9418eb856378e8ad64b00753ec166/cloudview.php#L340-L341
The filename at this moment is purely md5 hash of the file https://github.com/jfcherng-roundcube/plugin-cloudview/blob/a757d91480a9418eb856378e8ad64b00753ec166/cloudview.php#L355-L362
If it can be guessed, it could possible be that some information of that file had been leaked somewhere else already.
How to protect the directory for access without authentication? If you enter the full URL in the browser even without being authenticated, you can get the file in the temp folder.
Example: https://webmail.example.com.br/plugins/cloudview/temp/1/xxxxxxxxx.xlsx
Any additional configuration in the directory? I understand that it needs to be public so that Office or Google can upload the file, the problem is to keep these files in the directory accessible.