SECURITY: Export could expose data to unauthorized users

kartik-v / yii2-export

A library to export server/db data in various formats (e.g. excel, html, pdf, csv etc.)

http://demos.krajee.com/export

Other

165 stars 126 forks source link

SECURITY: Export could expose data to unauthorized users #251

Closed SteveSimpson closed 6 years ago

SteveSimpson commented 6 years ago

Export writes to static filename in runtime/export/grid-export.xls (name different depending on format)
If 2 users try to export different data 1 will probably overwrite the other or one will fail, worst case, 2nd user will download the 1st users data, potentially exposing sensitive data to an unauthorized user.
A solution is to include a username name / random hash in the filename that is downloaded.

SteveSimpson commented 6 years ago

I sent an email on this a long time ago, but no reply, so now I am posting a public ticket.

kartik-v commented 6 years ago

You could configure the filename in the ExportMenu::exportConfig['filename'] - it defaults to grid-export - you could set it anything dynamic you need ... for example:

echo ExportMenu::widget([
    'filename' => Yii::$app->user->id . '_' . date("Y-m-d-h-i-s") . '_grid-export',
    // other settings
]);