Defect #7750
closed
Files/attachments can be downloaded by anyone without permissions
Added by Stan Thorovsky about 13 years ago.
Updated about 13 years ago.
Category:
Permissions and roles
Description
MySQL version: 5.1.41
Ruby version: 1.8.7 (x86_64-linux)
Rails version: 2.3.5
Redmine version: 1.1
I raised this issue in the forum and was advised to submit a bug report:
http://www.redmine.org/boards/2/topics/22018
Considering that our Redmine requires authentication to access any projects it strikes me as a security hole that anyone in the world can download any files/attachments by parsing the correct URL (e.g. https://example.com/attachments/2/private_document.txt).
Since in "Roles/Permissions" Redmine allows to specify 'View Documents/Files" permission I would expect only users with that permission granted to be able to get to files and not the whole world.
Any file that we upload as "Files" or add to "Documents" can be downloaded by anyone in the world by parsing the URL directly - regardless any permissions or the fact that site requires authentication to access. Sure that 'anyone' would have to know the URL first but it is an incredibly weak protection.
Here is an example of URL that is a file in a private project in "Files" on a site that requires authentication and does not have anonymous users:
https://redmine.example.com/attachments/download/18/secretmemo.pdf
And all I need to download it is to open a terminal and type 'wget https://redmine.example.com/attachments/download/18/secretmemo.pdf'.
I can not reproduce. If authentification is required OR anonymous role has not the "View Files" permission, trying to access an attachment link as an anonymous results in a redirect to the login form:
wget http://localhost:3000/attachments/download/399/foo.pdf
--10:08:17-- http://localhost:3000/attachments/download/399/foo.pdf
=> `foo.pdf'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:3000... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: http://localhost:3000/login?back_url=http%3A%2F%2Flocalhost%3A3000%2Fattachments%2Fdownload%2F399%2Ffoo.pdf [following]
Thanks for the reply, Jean-Philippe
In our case both authentication is required and 'anonymous' and 'non-member' roles do not have any permissions.
This is what I get from wget:
stan.t@stan.t-Inspiron-1545:~$ wget https://localhost/attachments/15/explainedFILE.png
--2011-03-02 10:31:54-- https://localhost/attachments/15/explainedFILE.png
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://localhost/login?back_url=https%3A%2F%2Flocalhost%2Fattachments%2F15%2FexplainedFILE.png [following]
--2011-03-02 10:32:02-- https://localhost/login?back_url=https%3A%2F%2Flocalhost%2Fattachments%2F15%2FexplainedFILE.png
Reusing existing connection to localhost:443.
HTTP request sent, awaiting response... 200 OK
Length: 3860 (3.8K) [text/html]
Saving to: `explainedFILE.png'
100%[===================================================================================================================================>] 3,860 --.-K/s in 0s
2011-03-02 10:32:02 (21.8 MB/s) - `explainedFILE.png' saved [3860/3860]
Do we have something wrong with our specific installation?
wget saves the response to the redirect but as you can see it's a text/html response.
Please, have a look at the content of the file that wget saved, it should not be the png file that you requested but the html login page, even if wget saved it as explainedFILE.png.
- Status changed from New to Resolved
Thank you, Jean-Philippe
It is as you say - a login page. This is very reasonable. I'll mark this "Resolved".
Thank you for your help.
- Status changed from Resolved to Closed
- Resolution set to Invalid
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by