Nathan Explosion Posted April 30, 2018 Share Posted April 30, 2018 Something I've spotted while updating my HTML5 video player plugin. The following is the code generated by the IPS 4.3 native embedding functionality for video file uploads: <video class="ipsEmbeddedVideo" controls="" data-controller="core.global.core.embeddedvideo"> <source src="http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4" type="video/mp4"> <a class="ipsAttachLink" data-fileid="1" href="http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1" rel="">small.mp4</a> </source> </video> If the forum in which the attachment has been uploaded then has the 'Download attachments' permission for a group disabled, the above code doesn't adhere to that permission. This does, as it goes via a PHP file which checks for permissions to 'Download attachments': http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1 This doesn't, as it goes directly to the file: http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4 Result: if you were previously uploading videos to a forum post and blocking access to said file using the forum permissions then that's no longer possible. I'll be adding protection against this to my plugin. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.