GeneratePublicUrl is too easy to manipulate, anyone can get any images from database

[gprince64]

Project running on Symfony 5

Subject

More like a quick question that I can't figure out. I am using SonataMediaBundle on our backend symfony server to handle user's avatar images. The images are rendered on our app through our API thanks to the "generatePublicUrl()" function. But the problem is that the generated URL is so easy to manipulate to get other users avatar URL : https://...../uploads/media/default/0001/01/thumb_**XX**_default_square.jpg

A security audit was performed on our application and they said that : You can just change the "XX" to any number and it will fetch the image of anyone in the database.

Is there a way to override the public url generated ? In order to have a special hash that makes it harder than just having an exposed ID in the image name ?

Thank you

[haivala]

easiest way without any extra code would be to use reference image.

[VincentLanglet]

I would say there is something wrong with the design in your API

• If the image are public, accessing others users avatar URL shouldn't be an issue.
• If the image should be private, then don't use public urls. Also, if you want to add a security layer to the way you're managing image, you should restrict your urls with voters.