Jump to content

IPS 4.3 video bypasses download permissions for attachments


Nathan Explosion

Recommended Posts

Posted

Something I've spotted while updating my HTML5 video player plugin.

The following is the code generated by the IPS 4.3 native embedding functionality for video file uploads:

<video class="ipsEmbeddedVideo" controls="" data-controller="core.global.core.embeddedvideo">
	<source src="http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4" type="video/mp4">
  		<a class="ipsAttachLink" data-fileid="1" href="http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1" rel="">small.mp4</a>
	</source>
</video>

If the forum in which the attachment has been uploaded then has the 'Download attachments' permission for a group disabled, the above code doesn't adhere to that permission.

This does, as it goes via a PHP file which checks for permissions to 'Download attachments':

http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1

This doesn't, as it goes directly to the file:

http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4

Result: if you were previously uploading videos to a forum post and blocking access to said file using the forum permissions then that's no longer possible.

I'll be adding protection against this to my plugin.

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...