-
Peter Rotich authored
Commit c4579277 introduced an extra administrative security feature to restrict files access to signed in users only, even if a user has a valid & signed download URL. The feature, however, did not take into account public images & files associated with FAQs and pages such as landing/thank-you pages. This commit addresses the shortcoming by adding a reference ID (attachment ID) to the download/access URL, that can be used to deduce the model/object type that the file request is associated with. The technique will allow us in the future to enforce ACL at the file level depending on privacy settings and the security clearance of the user (agent).
Peter Rotich authoredCommit c4579277 introduced an extra administrative security feature to restrict files access to signed in users only, even if a user has a valid & signed download URL. The feature, however, did not take into account public images & files associated with FAQs and pages such as landing/thank-you pages. This commit addresses the shortcoming by adding a reference ID (attachment ID) to the download/access URL, that can be used to deduce the model/object type that the file request is associated with. The technique will allow us in the future to enforce ACL at the file level depending on privacy settings and the security clearance of the user (agent).
file.php 2.18 KiB
<?php
/*********************************************************************
file.php
File download facilitator for clients
Peter Rotich <peter@osticket.com>
Jared Hancock <jared@osticket.com>
Copyright (c) 2006-2014 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require('client.inc.php');
require_once(INCLUDE_DIR.'class.file.php');
//Basic checks
if (!$_GET['key']
|| !$_GET['signature']
|| !$_GET['expires']
|| !($file = AttachmentFile::lookupByHash($_GET['key']))
) {
Http::response(404, __('Unknown or invalid file'));
}
// Get the object type the file is attached to
$type = '';
if ($_GET['id']
&& ($a=$file->attachments->findFirst(array(
'id' => $_GET['id']))))
$type = $a->type;
// Enforce security settings if enabled.
if ($cfg->isAuthRequiredForFiles()
// FAQ & Page files allowed without login.
&& !in_array($type, ['P', 'F'])
// Check user login
&& !$thisuser
// Check staff login
&& !StaffAuthenticationBackend::getUser()
) {
// Try and determine if an agent is viewing the page / file
if (strpos($_SERVER['HTTP_REFERRER'], ROOT_PATH . 'scp/') !== false) {
$_SESSION['_staff']['auth']['dest'] =
'/' . ltrim($_SERVER['REQUEST_URI'], '/');
Http::redirect(ROOT_PATH.'scp/login.php');
} else {
require 'secure.inc.php';
}
}
// Validate session access hash - we want to make sure the link is FRESH!
// and the user has access to the parent ticket!!
if ($file->verifySignature($_GET['signature'], $_GET['expires'])) {
try {
if (($s = @$_GET['s']) && strpos($file->getType(), 'image/') === 0)
return $file->display($s);
// Download the file..
$file->download(@$_GET['disposition'] ?: false, $_GET['expires']);
}
catch (Exception $ex) {
Http::response(500, 'Unable to find that file: '.$ex->getMessage());
}
}// else
Http::response(404, __('Unknown or invalid file'));