Maniphest T19572

Files downloadable w/o auth
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Feb 19 2009, 5:21 PM

Description

Author: paul.marcus1

Description:
I have mediawiki setup with SecurID authentication. Everything appeared to work fine until the other day when someone sent the file location on the server instead of the URL of the page the file could be downloaded from. No authentication was needed and the file could be downloaded.

To try to make it clearer. Normally to download a file from the wiki I would send the following - a link to the page the file was on:

https://myserver.com/info/Prototype_Monthly_Vuln

And say to download the appropriate file from the page. No problem. Authetication was needed.

If instead I send a link to the file:

https://myserver.com/myserver/images/5/5a/filetodownload.fs.2009-01-22.csv

A person just has to click on the link and the file will download, no authentication needed.

Any help you can give would be greatly appreciated.

Version: 1.14.x
Severity: major
OS: Linux
Platform: PC

Details

Reference: bz17572

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:32 PM

• bzimport added a project: MediaWiki-File-management.

• bzimport set Reference to bz17572.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Feb 19 2009, 5:21 PM

There's already an help page for that: http://www.mediawiki.org/wiki/Manual:Image_Authorization

• Gilles added a project: Multimedia.Dec 4 2014, 10:29 AM

• Gilles moved this task from Untriaged to Done on the Multimedia board.Dec 4 2014, 10:41 AM

Files downloadable w/o authClosed, InvalidPublicActions

Description

Details

Event Timeline

Files downloadable w/o auth
Closed, InvalidPublic
Actions