Unauthorized uploaded files (attachments) access

[Lukasz]

Hi All RB users and devs,

we've been reported an issue about possibility to access uploaded file even if user is not logged in to RB, using direct link.

Steps to reproduce:

- log in to RB

- upload some file to review request, copy its URL

- log out 

- paste the URL into browser, example pattern:

https://rb_site.com/media/uploaded/files/2021/01/11/9f1bf574-3b3b-4692-a486-9570953c9913__test.txt

Expected result:
access denied window or authentication window should appear

Actual result:
you will see content of a file without authorization

Is it possible to set up Apache or RB some way to reach the expected result (issue noticed also on RB 4.0 demo)?

Regards,

Lukasz

[Christian Hammond]

Hi Lukasz,

That's correct, and is why we provide UUIDs as part of the uploaded filename, so guessing/scanning of files is unlikely. When used with CDN services, like S3, access can be time-limited via a temporary URL, but for basic setups in-house that utilize Apache, Review Board has no control over the access policies.

There's no way to tie Apache into Review Board's access controls without writing something custom. If using something like LDAP, you could conceivably gate off access based on first logging into LDAP, though as that wouldn't coordinate with Review Board, users are going to see that pop up any time Apache needs access to load an uploaded media file while on a Review Board page.

You could have some custom extension that serves up the files, requiring a login session, and tell Apache to rewrite any URLs to those media files to point to Review Board using a RewriteRule. That might be the best approach for your use case, and it's one we can consider optionally providing in the future, but note that there is a performance hit to having Review Board serve up media files, which is why we leave it to Apache or CDNs.

Christian

--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/a7d888c5-0313-4ae7-a619-13e050620d12n%40googlegroups.com.

--

Christian Hammond

President/CEO of Beanbag

Makers of Review Board