-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security issue regarding email file attachments #927
Comments
Plan to fix this,
|
On second thought, I think private files should stay in |
Another cheap solution would be to use links that expire every 30s. So, the extra cost of serving a private file is just some math. (like Amazon S3) |
@pdvyas How will you differentiate? |
A check in DocType, "has private files". |
Can we introduce more robust file management capabilities? Ref: http://stackoverflow.com/questions/2687957/django-serving-media-behind-custom-url |
We already use X-Accel-redirect to serve backups. For your suggestion, what use case would it cover? We already store On Wed, Nov 26, 2014 at 12:37 PM, Dinesh Jagtap notifications@github.com
|
@anandpdoshi Reference to frappe/erpnext#4474 |
Do bench update Sent from my phone
|
Works now, thanks! |
from https://discuss.frappe.io/t/email-file-attachment-security/3812 👍
If I email a customer using Support Ticket, and attach a document by uploading it first, that document appears to be publicly available, via /files/. , even if you're not authenticated at all. (at least when running via bench start).
This is of course completely unworkable - that document could be sensitive.
The text was updated successfully, but these errors were encountered: