Recent Topics

Search Widget makes media and urls available for anonymous visitors

Started by on Apr 27, 2019 – Contents updated: Aug 17, 2019

Apr 27, 2019 02:53    

I'm not reporting this as a bug because in fact I don't consider it as one.

I'm starting to generate contents, uploading images and writing articles, no post has public status yet. But if a anonymous visitors uses the Search tool (widget or /?disp=search) typing just "a" would show a list of all media that I uploaded. That happens I guess because the media files area public a priori / by default and thats ok (well maybe not always ok).

The second information made available is the URL for the posts, which as the visitor is not logged in as a member won't display anything. But the points is that anyone could guess / sneak peek at some things that I just didn't published yet... Imagine for example if the image reveals some contests winner.

I'm not very comfortable with restrict information being public, so I would appreciate any insights related to tighten this belt.

The post's URL is in the last line of each result (in attached example the ones starting with "Em "). if that line was hidden for future publications I believe it would be good enough. As for the images it may be another discussion because an image would sometimes be shared between posts.

Search Widget makes media and urls available for anonymous visitors

Apr 27, 2019 10:39

I'm starting to generate contents, uploading images and writing articles, no post has public status yet. But if a anonymous visitors uses the Search tool (widget or /?disp=search) typing just "a" would show a list of all media that I uploaded.

I thought whether files/images are findable via search is set in Features >Other displays > Search Results on v6.10.8

On my 7.0.0 site I've just put images in a /media blog, the site it was empty before that, just a basic default setup?
Searching in doesn't find any of the images by file name that I've just put there, even with files searchable,

That happens I guess because the media files area public a priori / by default and thats ok (well maybe not always ok).
I would have thought that the permissions would be set that only the server can access the media via an server script not a plain url

Apr 27, 2019 11:56

Hi amoun,
I didn't try the v7 yet, I'll wait some more time as It seems there are a lot of changes going on, I'll probably try the first beta.

I see your point about the search options, but that would block all instances in any case and that's surely not what one would want.
BUT... look at the weights, maybe if we have a strong negative weight for the "not public" ones these could potentially not even appear on results? That would be cool! Just an idea.

Apr 27, 2019 12:42

Having thoughts to your notice of access I have just modified my .htaccess in the media folder to stop external referrals to my media folder, it won't stop via the search though.

# We don't want any PHP execution in this folder! (Prevent direct invocation of PHP files)
<IfModule mod_php5.c>
	php_flag engine off
</IfModule>

<IfModule mod_rewrite.c>
	RewriteEngine On

	# Redirect any _evocache file that does not exist to generate new by htsrv/getfile.php:
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{QUERY_STRING} mtime=(\d+)
	RewriteRule ^(.+/[_\.]evocache/.+/([a-z0-9\-]+)\.[a-z]{3,4})$ /htsrv/getfile.php?abspath=$1&size=$2&mtime=%1 [L]
	
       # ADDED the following 4 lines to stop external referrals
	RewriteEngine On
	RewriteCond %{HTTP_REFERER} !^https://(.+\.)?calstock\.org\.uk/ [NC]
	RewriteCond %{HTTP_REFERER} !^$
	RewriteRule .*\.(jpe?g|gif|bmp|png|jpg|tif)$ https://calstock.org.uk/favicon.ico [L]
	
</IfModule>

Apr 29, 2019 23:24

Files (Images) should theoretically only be shown if they are attached to a post that the user is allowed to see.
Seems not to be the case.

Apr 30, 2019 16:46

I ftp the images so they are available via the url

As my media files are embedded in the post text as html tags if I change permissions for the media folder to block access it would also stop them showing in the posts as the post uses urls.

I'm thinking about it but busy preparing beds for crops, so bye for now.

Aug 17, 2019 01:53

You're welcome, thank you for the feedback!


Form is loading...

Run your own website! – This forum is powered by b2evolution CMS, a complete engine for your website.