search

psi-4ward / psitransfer

Simple open source self-hosted file sharing solution.
BSD 2-Clause "Simplified" License
1.45k stars 211 forks source link

Pulling files without authentication #271

Closed b0bu closed 1 year ago

b0bu commented 1 year ago

This may be intended behaviour. It might be the default behaviour where extra configuration is required for anything else I see in the read me it says "Password protected download list " not password protected downloads. I'm getting various results when testing against a local instance in lima and a public facing instance used by a 3rd party service. On the public instance I can pull a file if I know the name, regardless of authentication.

For a given url 05cb22e51722 by adding .json with the password header I can obtain the url attribute of the json 

http://0.0.0.0:3000/05cb22e51722.json -H 'x-download-pass:XXXXXX' | jq '.items[].url'

With that URL I can download the file, without the password. 

http://0.0.0.0:3000/05cb22e51722/files/05cb22e51722++5358525c605b85e0e8dc84965f6dc138

When I do this locally, I get a permission denied error and the server crashes but I'm allowed to pull the file anyway, on the public instance (that I don't own) I get no crash. Ids might not match I'm just copying out examples from the terminal it should be easy to recreate. 

2023-05-02T22:19:44.389Z GET /files/05cb22e51722++54a07ca1-9931-42d2-9261-3bb7d5661192 200 26.421 10.4.0.1
node:internal/process/promises:288
            triggerUncaughtException(err, true /* fromPromise */);
            ^

[Error: EACCES: permission denied, open '/data/05cb22e51722/54a07ca1-9931-42d2-9261-3bb7d5661192.json'] {
  errno: -13,
  code: 'EACCES',
  syscall: 'open',
  path: '/data/05cb22e51722/54a07ca1-9931-42d2-9261-3bb7d5661192.json'
}
psi-4ward commented 1 year ago

With that URL I can download the file, without the password.

Thats correct.

EACCES: permission denied, open means filesystem-level restriction. Of course, the IDs are random.