Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] 缓存文件在公开存储桶中被所有人可见 #269

Open
panghaibin opened this issue Oct 7, 2024 · 3 comments
Open

[Bug] 缓存文件在公开存储桶中被所有人可见 #269

panghaibin opened this issue Oct 7, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@panghaibin
Copy link
Contributor

Bug 描述
缓存文件在公开存储桶中被所有人可见,里面包含了仅自己可见的文章信息

复现步骤

  1. 通过文章中的图片链接找到站点所用的存储桶域名
  2. 访问存储桶域名+/cache/cache.json

期望行为

截图

环境变量
@panghaibin
Copy link
Contributor Author

Rin/server/src/services/storage.ts

Lines 46 to 49 in 6cea860

if (!uid) {
set.status = 401;
return 'Unauthorized';
}

另外目前对上传文件的控制是只要为登录用户即可上传,不知是bug还是feature?应该要只允许管理员上传吧?

@OXeu
Copy link
Collaborator

OXeu commented Oct 7, 2024

Rin/server/src/services/storage.ts

Lines 46 to 49 in 6cea860

if (!uid) {
set.status = 401;
return 'Unauthorized';
}

另外目前对上传文件的控制是只要为登录用户即可上传,不知是bug还是feature?应该要只允许管理员上传吧?

最初有设计为允许其他用户回复时添加图片,但暂未实现,这里目前来看存在设计缺陷

@OXeu OXeu added the bug Something isn't working label Oct 8, 2024
@panghaibin
Copy link
Contributor Author

重新看了下文档,发现其实可以通过环境变量S3_CACHE_FOLDER自定义缓存的路径,所以应该可以通过自定义一个较长的随机路径,而不是默认的cache/路径避免缓存文件泄漏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OXeu @panghaibin