You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a file is uploaded to PasswordPusher, there are 2 URLs per file.
The "secret" URL which is to be passed to the receiver of the file.
The secret URL is constructed like "https://[server]/f/[Token]
The "real" URL or direct link to the file
The real URL is looking like "https://[server]/rails/active_storage/blobs/redirect/[long random string]/[real file name]"
This URL can be copied from the link presented unter "Attached Files".
When the receiver of the file passes on the "real URL", an unlimited amount of downloads can be made.
No restrictions seem to be active for those links.
馃敩 How To Reproduce
Upload a file to PasswordPusher
Open the secret Link in another browser or incognito window and copy the "real link"
Open as many additional tabs/windows as you like and download the file
Environment
Where are you running/using Password Pusher?
[X ] Docker Image
[X ] pwpush
If applicable, what version of Password Pusher?
1.36.5
馃搱 Expected behavior
"Real" URL should either be counting towards view count/download count/age restrictions or not be directly reachable.
The text was updated successfully, but these errors were encountered:
what made me wonder was when I pushed some files with only a single view each, that was used by the preview to extract the direct DL URL and the direct download still worked afterwards on the already expired item.
I guess it depends heavily on the use case how the solution should look like.
I'm currently testing single file pushes over the API. In my case download==view.
In my script I'm extracting the direct download URL from the preview page - currently it's not available via API call, as far as I know.
With multiple file pushes it gets a little difficult.
Maybe an elegant (?) solution would be to ZIP pushes with multiple files in an archive to get a single file to download.
At least this is how web based file managers usually solve the "how to download multiple files" problem.
This would also reduce possible download situations to a single case and solve the views/downloads counter problem.
馃悰 Bug Report
When a file is uploaded to PasswordPusher, there are 2 URLs per file.
The "secret" URL which is to be passed to the receiver of the file.
The secret URL is constructed like "https://[server]/f/[Token]
The "real" URL or direct link to the file
The real URL is looking like "https://[server]/rails/active_storage/blobs/redirect/[long random string]/[real file name]"
This URL can be copied from the link presented unter "Attached Files".
When the receiver of the file passes on the "real URL", an unlimited amount of downloads can be made.
No restrictions seem to be active for those links.
馃敩 How To Reproduce
Environment
Where are you running/using Password Pusher?
If applicable, what version of Password Pusher?
1.36.5
馃搱 Expected behavior
"Real" URL should either be counting towards view count/download count/age restrictions or not be directly reachable.
The text was updated successfully, but these errors were encountered: