Project

General

Profile

Actions

Defect #7750

closed

Files/attachments can be downloaded by anyone without permissions

Added by Stan Thorovsky over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
2011-03-01
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

MySQL version: 5.1.41
Ruby version: 1.8.7 (x86_64-linux)
Rails version: 2.3.5
Redmine version: 1.1

I raised this issue in the forum and was advised to submit a bug report:

http://www.redmine.org/boards/2/topics/22018

Considering that our Redmine requires authentication to access any projects it strikes me as a security hole that anyone in the world can download any files/attachments by parsing the correct URL (e.g. https://example.com/attachments/2/private_document.txt).

Since in "Roles/Permissions" Redmine allows to specify 'View Documents/Files" permission I would expect only users with that permission granted to be able to get to files and not the whole world.

Any file that we upload as "Files" or add to "Documents" can be downloaded by anyone in the world by parsing the URL directly - regardless any permissions or the fact that site requires authentication to access. Sure that 'anyone' would have to know the URL first but it is an incredibly weak protection.

Here is an example of URL that is a file in a private project in "Files" on a site that requires authentication and does not have anonymous users:

https://redmine.example.com/attachments/download/18/secretmemo.pdf

And all I need to download it is to open a terminal and type 'wget https://redmine.example.com/attachments/download/18/secretmemo.pdf'.

Actions

Also available in: Atom PDF