Jump to content

IPS 4.3 video bypasses download permissions for attachments


Recommended Posts

Something I've spotted while updating my HTML5 video player plugin.

The following is the code generated by the IPS 4.3 native embedding functionality for video file uploads:

<video class="ipsEmbeddedVideo" controls="" data-controller="core.global.core.embeddedvideo">
	<source src="http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4" type="video/mp4">
  		<a class="ipsAttachLink" data-fileid="1" href="http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1" rel="">small.mp4</a>
	</source>
</video>

If the forum in which the attachment has been uploaded then has the 'Download attachments' permission for a group disabled, the above code doesn't adhere to that permission.

This does, as it goes via a PHP file which checks for permissions to 'Download attachments':

http://localhost/ips_43_test/applications/core/interface/file/attachment.php?id=1

This doesn't, as it goes directly to the file:

http://localhost/ips_43_test/uploads/monthly_2018_04/small.mp4.93b19bfc90dca714d1337ddc469de357.mp4

Result: if you were previously uploading videos to a forum post and blocking access to said file using the forum permissions then that's no longer possible.

I'll be adding protection against this to my plugin.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...