Not clearing old photos ever, and an index is available (not even obscurity)

Question

Not clearing old photos ever, and an index is available (not even obscurity)

marc-git opened this issue 5 years ago · 3 comments

Hi, thanks for your server set up. I noticed with the attachments that the storage location has an index.html file in the root directory (per user?), so actually once you get into the server you get into everything that was ever sent.
Are you doing this at all?
https://github.com/ThomasLeister/prosody-filer#automatic-purge

Maybe -max-depth 0 isn't what you wanted?

Answer 1 · 2020-01-07T21:46:32.000Z

Hi! Thanks for your report. I could reproduce the problem. Directory Listings are blocked in root level, but as soon as you have the first hash (one directory level down) they are available, again. This should of course not be possible. I'll provide a bug fix as soon as possible. Am 7. Januar 2020 20:05:40 schrieb marc-git <notifications@github.com>:

…

Hi, thanks for your server set up. I noticed with the attachments that the storage location has an index.html file in the root directory (per user?), so actually once you get into the server you get into everything that was ever sent. Are you doing this at all? https://github.com/ThomasLeister/prosody-filer#automatic-purge Maybe -max-depth 0 isn't what you wanted? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

Answer 2 · 2020-01-08T19:21:57.000Z

Also thanks for pointing out the mistake in the "find" command (to clean up uploads). I updated the README.md in 3bc8446

Answer 3 · 2020-01-08T20:18:21.000Z

No worries. Thanks for running my xmpp account ;)

A good lesson that config security is just as important as code security. I only looked in to it when I realised that image attachments are not encrypted.