View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 1233 | Composr | General / Uncategorised | public | 2013-05-08 20:43 | 2013-05-08 21:47 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | high | Severity | minor | ||
| Status | resolved | Resolution | fixed | ||
| Product Version | 9.0.6 | ||||
| Summary | 1233: Add security around files attached to catalogue entries | ||||
| Description | Catalogues and catalogue categories can be access controlled but no access specifically runs against attached files. This would mean that someone could guess at URLs to find attached files. Catalogue files were never originally designed/specified to be a secure upload mechanism. However, it is understandable people may want to use them this way -- so we are applying catalogue access permissions to them in this hotfix. | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Attached Files | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Fixed in git commit 2bb84a4 (https://github.com/chrisgraham/Composr/commit/2bb84a4 - link will become active once code pushed) A hotfix (a TAR of files to upload) have been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
|
|
This hotfix also removes video display for 'upload' fields. This is because v9 added a 'video' field of its own, so the functionality no longer made sense. |
|
|
Note that there will be no additional security for custom fields on content types nor on CPFs. This patch only can add security for regular catalogue entries. A much more complex patch has been put in for v10, due to the need for this to work with the new multi upload fields coming in v10. That was trickier due to no longer being a simple 1-to-1 correspondence with fields and files, in relation to a particular entry -- while continuing needing to enforce security and defining appropriate exceptions and maintaining framework abstraction. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2023-02-26 18:29 | Chris Graham | Category | General => General / Uncategorised |
