app/uploaders/secure_uploader.rb · 200486b6f1b84aec34a3f5f5d440ee93cd3a6586 · Gigadoc 2 / diaspora

Apr 22, 2015

Add a token the filename for exported user data · 0a70e51f

Jonne Haß authored Apr 22, 2015

Also redirect to it for download, for Amazon S3
compatibility.

Prior to this patch an attacker could obtain an
users export by guessing the filename with a high
chance of success. Fully authenticating the
download request is a lot harder due to our diverse
deployment scenarios.

This brings the used method in line with the photo
export feature.

Thanks to @tomekr for the report.

0a70e51f

Add a token the filename for exported user data

Jonne Haß authored Apr 22, 2015

Also redirect to it for download, for Amazon S3
compatibility.

Prior to this patch an attacker could obtain an
users export by guessing the filename with a high
chance of success. Fully authenticating the
download request is a lot harder due to our diverse
deployment scenarios.

This brings the used method in line with the photo
export feature.

Thanks to @tomekr for the report.