-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Profile Pictures Are Public (accesssable to anyone without login) In Docker Version #987
Comments
This is true for any verision of Monica. Its more of a side effect of how images are stored. It is possible to move the images to a non public dir and stream them through PHP on a per request basis but that slows load time. I'd also say that this isn't an issue, the images are renamed with a random 40 char name. Its not really possible to guess that URL. |
Is there a way to avoid this? You can also access a private image on Facebook if you know the URL. |
Yes, you are authenticating every image path with PHP, but then use |
Hey, I implement this security feature. check out this instance http://monica.naibahq.com/storage/photos/0Y7BpsgvyCgMB1Ku4RK2r1y184GtEZCgYxPRXv2F.jpg I forked Monica ( https://github.com/naiba/monica-fork ) because they do not want to merge my PR OR give me any feedback. |
@naiba Could you describe your solution here, and maybe implement it here, it would benefit to everyone. |
@asbiin FYI naiba-archived/monica-fork@21d9a19 |
🎉 This issue has been resolved in version 3.1.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
This issue has been automatically locked since there |
I've migrated my setup from a manual install over to the docker version. The docker version is great except that any file in "www.myserver.com/storage/avatars/" can be accessed by anyone if they know the image file name. In my previous manual install I had a setup in my virtual host in Apache that blocked access to these files. It was as follows:
However, to my knowledge it isn't possible to do this with docker because you can't use <Directory> for a reverse proxy. I tried to use <Location> and <LocationMatch> but I was unable to make those work.
Is having the images public intentional or is this a bug with the docker version of Monica?
This is my current reverse proxy virtual host for the Docker version:
The text was updated successfully, but these errors were encountered: