Download privilege escape with plugins

Question

Download privilege escape with plugins

Closed this issue 7 months ago · 3 comments

It is possible to download files/folders with the (can_see) permission that appear in the File List through plugins that perform Show, Preview, Play Media ... etc. operations. This situation allows the (can_download: false) permission to be exceeded.

Only the way to prevent this is (can_see = false) permission.

Answer 1 · 2024-09-09T14:39:31.000Z

but what happens when you click on one of those, like show?

Answer 2 · 2024-09-09T15:36:33.000Z

Sorry, my mistake.
The data it shows is not the file content, it is the HFS Web Page interface again, it just shows HTML information as text.

Answer 3 · 2024-09-11T22:07:23.000Z

ok, but this has brought to my attention that these plugins are not currently able to determine that they fail at getting the file.
I'll take care of it.