Possible security breach?

m4v3rick

The issue

If a picture or movie is posted in a discussion which can't be seen from visitor without logging in they still can be seen with the link.

So if someone sends the forum link with the movie it is not protected anymore.

clarkwinkelmann

m4v3rick which extension are you referring to?

I don't think FoF Upload or any other upload extension has actor-aware file access protection. However the URLs are not supposed to be guessable.

In the future version of FoF Upload that connects files to posts, an access control that inherits from the posts that contain the file could theoretically be implemented. But since a same file could be in multiple discussions this might be tricky to implement.

Another option would be to only generate links with expiration tokens and never reveal the full path to the file. The way FoF Upload is implemented, it's not easy to implement for all template options.

Both access control options would also have a performance hit, particularly if the goal is to serve video files (the proxy/authorization script would have to support media seek and cannot be moved to a separate server). The best would be to rely on signed URLs from an external file hosting platform like Amaton S3, another feature currently not implemented in FoF Upload.

m4v3rick

clarkwinkelmann However the URLs are not supposed to be guessable.

True that.

clarkwinkelmann In the future version of FoF Upload that connects files to posts, an access control that inherits from the posts that contain the file could theoretically be implemented. But since a same file could be in multiple discussions this might be tricky to implement.

That would be good though. If someone posts a picture inside a protected discussion which is not viewable from visitors without login, an image link could easily be posted and accessed which actually shouldn't work (without downloading and uploading on the other server). This behaviour would lead the secured area inside the flarum forum ad absurdum.

I understand that at the moment it was never thought of being protected but it could be a feature for the future.

Would it be possible that only pictures and videos on global set discussions are viewable via a direct link but pictures and videos from discussions for members are only viewable after login?
So maybe instead of (if for example the Upload extension is set to save local) locally saving into one folder per day there could be two folders per day. One folder for global media files and one folder for media files for members. Would that be better to handle?