Issue 2551345: Access to static files is not limited by origin

classification

Title:	Access to static files is not limited by origin
Type:	behavior	Severity:	normal
Components:	Web interface	Versions:

process

Status:	new	Resolution:	remind
Dependencies		Superseder:
Assigned To:		Nosy List:	rouilj
Priority:		Keywords:

Created on 2024-05-02 01:53 by rouilj, last changed 2024-05-02 02:27 by rouilj.

Messages
msg8027	Author: [hidden] (rouilj)	Date: 2024-05-02 01:53
It appears that you can request a static file from a Roundup instance from any web page. The origin (CSRF) and other checks are not applied. Anti leeching can be implemented by a proxy server. So not a major issue, but it would be nice to provide a native method to prevent inline linking/leeching.

msg8027

Author: [hidden] (rouilj)

Date: 2024-05-02 01:53

It appears that you can request a static file from a Roundup instance from any
web page. The origin (CSRF) and other checks are not applied.

Anti leeching can be implemented by a proxy server.

So not a major issue, but it would be nice to provide a native method to
prevent inline linking/leeching.

History
Date	User	Action	Args
2024-05-02 02:27:04	rouilj	set	resolution: remind
2024-05-02 01:53:16	rouilj	create

Roundup Tracker - Issues

Issue 2551345