Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unauthorized Access to Non-Shared File via Copied Link #2851

Open
tuzumkuru opened this issue Nov 20, 2024 · 3 comments
Open

Unauthorized Access to Non-Shared File via Copied Link #2851

tuzumkuru opened this issue Nov 20, 2024 · 3 comments

Comments

@tuzumkuru
Copy link

I encountered an issue with Seafile Community Edition and OnlyOffice integration where non-shared files can be accessed without authentication through a copied file link.

Steps to Reproduce

  1. Set up Seafile Community Edition with OnlyOffice integration using Docker.
  2. Create a document (e.g., Test.docx) in Seafile.
  3. Click on the document to open it in the OnlyOffice editor.
  4. Copy the file link from the browser.
  5. Paste the link into a non-authorized browser or incognito mode.

Expected Behavior

  • The link should prompt for authentication or display an error message if the user is unauthorized.

Actual Behavior

  • The file opens in the OnlyOffice editor, displaying the content. The Seafile user appears connected to the document, even in an unauthorized session.

Additional Information

  • The file is not shared, and no public link has been generated.
  • Seafile is running on a Raspberry Pi using Docker with Cloudflare tunnels for HTTPS and internet access.

Configuration Details

  • Docker Compose file and additional settings can be provided if needed.
  • Relevant logs from Seafile and OnlyOffice are available upon request.

This behavior seems to bypass authentication for files that are not explicitly shared, which might indicate a misconfiguration or a security issue. Any guidance would be appreciated.
@imwhatiam
Copy link
Member

@tuzumkuru Hello, we were unable to reproduce this issue locally. Could we log in to your Seafile web interface and linux server side to conduct debugging and troubleshooting?

@freeplant
Copy link
Member

I think it is maybe caused by cache of Cloudflare.

@tuzumkuru
Copy link
Author

tuzumkuru commented Nov 21, 2024
edited
Loading

Thanks for the replies.

I think it is maybe caused by cache of Cloudflare.

@freeplant Good catch. I tested it by setting a page rule that bypasses caching, and it correctly asked for login as expected.

@tuzumkuru Hello, we were unable to reproduce this issue locally. Could we log in to your Seafile web interface and Linux server side to conduct debugging and troubleshooting?

@imwhatiam The issue has been identified as Cloudflare's caching of the file link. If access to my setup is still required, I can provide it tomorrow.

That said, I believe this is still a concern. Why was the file cached while other pages requiring authentication were not? Even though the caching explains the behavior, it exposes a potential risk. Pages or files requiring authentication should never be cacheable, as this could lead to unauthorized access in scenarios similar to mine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@freeplant @imwhatiam @tuzumkuru