Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Thumbnails of private bookmarks are accessible without authentication #578

Closed
andrigamerita opened this issue Feb 13, 2023 · 1 comment · Fixed by #627
Closed

[Security] Thumbnails of private bookmarks are accessible without authentication #578

andrigamerita opened this issue Feb 13, 2023 · 1 comment · Fixed by #627
Labels
tag:security 🛡️ type:bug Something isn't working

Comments

@andrigamerita
Copy link

Data

  • Shiori version: v1.5.4 (latest release)
  • Database Engine: SQLite
  • Operating system: Raspbian GNU/Linux 11 (bullseye), Linux raspberrypi 5.15.84-v7+ #1613 SMP Thu Jan 5 11:59:48 GMT 2023 armv7l GNU/Linux
  • CLI/Web interface/Web Extension: Web server (affects the server itself, not the web UI)

Describe the bug / actual behavior

If the /bookmark/{ID}/thumb HTTP endpoint of a Shiori instance running in serve mode is reached, where ID is the numeric id of an existing saved bookmark, the image file that is a thumbnail of the corresponding bookmark is returned, regardless of if the bookmark in question is private and the current HTTP request is not authenticated.

Expected behavior

If the above mentioned endpoint is reached, the software should return data of the thumbnail image file only if at least one of the following conditions are met, otherwise it should redirect to the login page exactly as it already correctly happens with the /bookmark/{ID}/content and /bookmark/{ID}/archive endpoints (ot, at the very least, deny access with an error):

  • The bookmark is marked as public in the database
  • The bookmark is marked as private in the database but the request is correctly authenticated

To Reproduce

Steps to reproduce the behavior:

  1. Know the ID of a private bookmark (trivial due to IDs not being random)
  2. Verify that, without having a logged-in session in an account that owns the bookmark, it is not readable from either the /bookmark/{ID}/content or /bookmark/{ID}/archive HTTP endpoints of a Shiori instance running in serve mode (which is correct behavior)
  3. Try to access the /bookmark/{ID}/thumb still without having a valid session, and notice that the thumbnail file is accessible as if the article it belongs to wasn't private (which shouldn't happen)

Screenshots

Not applicable.

Curl demonstration

$ curl --output - https://PRIVATE/bookmark/2/archive/
<a href="/login?dst=%2Fbookmark%2F2%2Farchive%2F">Moved Permanently</a>.

$ curl --output - https://PRIVATE/bookmark/2/thumb
{Binary data of the image file}
@andrigamerita andrigamerita added the type:bug Something isn't working label Feb 13, 2023
Monirzadeh added a commit to Monirzadeh/shiori that referenced this issue Jul 1, 2023
@Monirzadeh
thumb image will be not accesable anymore if it is private fix go-shi…
ff16406 
…ori#578
@Monirzadeh
Copy link
Collaborator

@andrigamerita thanks for your report, I send a PR to fix that.

@Monirzadeh Monirzadeh mentioned this issue Jul 1, 2023
Merged
fmartingr added a commit that referenced this issue Jul 2, 2023
@Monirzadeh @fmartingr
thumb image will be not accesable anymore if it is private fix #578 (#…
98c2d77 
…627)

* thumb image will be not accesable anymore if it is private fix #578

* Update internal/webserver/handler-ui.go better error handling

Co-authored-by: Felipe Martin <[email protected]>

---------

Co-authored-by: Felipe Martin <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tag:security 🛡️ type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

thumb image will be not accesable anymore if it is private fix #578 Monirzadeh/shiori
3 participants
@fmartingr @Monirzadeh @andrigamerita