Page MenuHomePhabricator
Create Task
Maniphest T12512

Bug in Upload URL's (Require user authentication over URL's )
Closed, ResolvedPublic
Actions

Description

Steps to Reproduce:

  1. create task
  2. provide the relavent info and upload image and text file.
  3. select visible to No One than provide the relavent info if any.
  4. New Task created successfully.
  5. Now open the task created just now and access the uploaded files i.e image and text file in new tab.
  6. the following URL's of image and text file have no authentication.

Actual result:

  1. Image and textfile can be access and read by unauthorised person (due to no authentication).

Expected result:

  1. Require credentials if accessed the URL's.

image.JPG (691×1 px, 54 KB)

testfile.JPG (691×1 px, 40 KB)

Related Objects

Event Timeline

wjhussain created this task.Apr 6 2017, 10:12 AM
wjhussain added a project: Security.Apr 6 2017, 11:10 AM
Herald added subscribers: cburroughs, andypuettmann, eadler, revi. · View Herald TranscriptApr 6 2017, 11:10 AM
epriestley closed this task as Resolved.Apr 6 2017, 11:39 AM
epriestley claimed this task.
epriestley added a subscriber: epriestley.

In the future, please report security issues via HackerOne: https://hackerone.com/phabricator -- notably, this allows us to award you a security bounty if you discover an issue.

This is not a security issue, but an intentional design decision. See T10262 for discussion. Many similar services use an identical design, including Facebook, Google, and GitHub (see T10262#158198 for a list). The rest of T10262 discusses the design in more detail.

The image URL includes a 100-bit secret which prevents attackers from guessing URLs. This secret is rotated when the policies for a file change.

Phabricator · Built by Phacility