Thumbnailer allows generating thumbnails for images shared as secure view only #9249
Comments
kulmann
added
the
Priority:p2-high
|
secureview should not generate a thumbnail. |
|
Not only images but as well txt files, which makes it even more critical |
|
@AlexAndBear with PR #9299 txt-files got accidentally fixed aswell 😆 |
|
|
|
@tbsbdr after a discussion with @dragonchaser I propose that we add a small info into the thumbnail readme that thumbnails will return a 403 (forbidden) for a thumbnail request that belongs to a secure view shared object when the share reciever accessses the data. we already have such info for 404 (unavailable) and too many requests (429). this readme change should directly go into the corresponding (and currently open) PR, see: #9299. pls advice. |
|
Nice, but with latest web master, we don't even request the thumbnails anymore when secure view is active, so this is more a security feature for attacks or somthing |
|
@AlexAndBear I was not aware of that, but that change would be needed anyway. Otherwise someone could craft a thumbnail link for a certain file and read the contents (as you said security...) |
|
Yeah, just wanted to update all people here in the ticket, so no one is under the impression web is still requesting endpoints, that should not be requested ;) |
When an image is shared in view only mode it should not be possible to fetch a thumbnail for it. Or not without a watermark.
The text was updated successfully, but these errors were encountered: