owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.42k stars 183 forks source link

Thumbnailer allows generating thumbnails for images shared as secure view only #9249

Closed butonic closed 6 months ago

butonic commented 6 months ago

When an image is shared in view only mode it should not be possible to fetch a thumbnail for it. Or not without a watermark.

tbsbdr commented 6 months ago

secureview should not generate a thumbnail.

AlexAndBear commented 6 months ago

Not only images but as well txt files, which makes it even more critical

dragonchaser commented 6 months ago

@AlexAndBear with PR #9299 txt-files got accidentally fixed aswell :laughing: The side-effect of this is, that you can no longer open files that are shared with secure-view when you do not have an active collabora running....

dragonchaser commented 6 months ago

image

mmattel commented 6 months ago

@tbsbdr after a discussion with @dragonchaser I propose that we add a small info into the thumbnail readme that thumbnails will return a 403 (forbidden) for a thumbnail request that belongs to a secure view shared object when the share reciever accessses the data. we already have such info for 404 (unavailable) and too many requests (429). this readme change should directly go into the corresponding (and currently open) PR, see: #9299. pls advice.

AlexAndBear commented 6 months ago

image

Nice, but with latest web master, we don't even request the thumbnails anymore when secure view is active, so this is more a security feature for attacks or somthing

dragonchaser commented 6 months ago

@AlexAndBear I was not aware of that, but that change would be needed anyway. Otherwise someone could craft a thumbnail link for a certain file and read the contents (as you said security...)

AlexAndBear commented 6 months ago

Yeah, just wanted to update all people here in the ticket, so no one is under the impression web is still requesting endpoints, that should not be requested ;)