Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Download URL contains secrets. #27

Open
illegalprime opened this issue Oct 11, 2017 · 2 comments
Open

Download URL contains secrets. #27

illegalprime opened this issue Oct 11, 2017 · 2 comments
Assignees
@Anish2
Labels
bug

Comments

@illegalprime
Copy link
Member

Currently when one logs in and presses the download button, they can then take that link and use it anywhere (even when they are not logged in!). This is cannot be used if this bug exists, we don't want to leak info.
@illegalprime
Copy link
Member Author

It's also seen as a pop-up by chrome which is not good. (because of the different host I guess)

@illegalprime
Copy link
Member Author

@Anish2
Maybe this is outdated by now, is it a timeout link or a one-time link generated by S3?
I think just forget all these S3 generated links and have the server retreive the file not the client.
This is because if you give the client the link it might not load it in time to pass the timeout or it might retry to load it and fail from the one-time link.
Also be sure to disable Cloudflare's caching for sensitive information.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Anish2 Anish2

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@illegalprime @Anish2