Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ActiveStorage's signed keys not unique, e.g. can be reused for other variants #31662
The comments in
For example; a website provides you thumbnails, where upon purchase you get access to the download page. The signed key then being used, can be reused for any other image, by replacing the signed key part in the thumbnail URL.
I might be misunderstanding the "security-through-obscurity" case here, and it could be that this is the designed behavior, but I would say it would be better to generate these signed keys with an additional variable parameter (filename maybe), so that the signed key for
Rails version: 5.2.0.beta2
Ruby version: 2.4.1p111
Security-through-obscurity refers more to the signed blob ID than the signed variation key, even though the comment on
As I see it, variations are generally harmless. The point of the key is primarily to have a convenient way to reference one in a URL.
Maybe, but in some occasions they're not; like the example I gave above. And I can give more examples like it, but it all boils down to that sometimes not all variants are equal.
I figured it was for preventing users to request any variant they want, but it is just for convenience, then why does it has to be encoded at all?
Then also, what is the static part doing in the variant key?
Anyway; if the file (digest) would be a variable in generating the signature, the issue would not exist. I can try and open a PR with this proposed change?
This issue has been automatically marked as stale because it has not been commented on for at least three months.