starred/pictshare
1
0
Fork 0
mirror of https://github.com/HaschekSolutions/pictshare.git synced 2026-04-26 23:45:52 +03:00
Code Issues 34 Projects Releases Packages Wiki Activity

[GH-ISSUE #103] csv files in /data are accessible #78

New issue
Closed
opened 2026-02-25 23:40:36 +03:00 by kerem · 1 comment
kerem commented 2026-02-25 23:40:36 +03:00
Owner
Copy link

Originally created by @thomasdeurloo on GitHub (Nov 13, 2019).
Original GitHub issue: https://github.com/HaschekSolutions/pictshare/issues/103

Hi,

The folder "data" contains the sha1.csv which is containing the hashes. My folder is also containing a file called "uploads.csv" containing the logged uploads.. (I assume that the presence of this file is dependend on the parameter to log uploads). The csv files are publicly accessible to everyone. So if one knows that this system is used, he can request a full overview of the sha1 hashes, and in case of the logged uploads also the ipadresses.

To prevent this i created an .htacces file in the data folder containing

<FilesMatch "\.(php|pl|py|jsp|exe|flv|csv|asp|htm|shtml|sh|cgi)$">
Deny from All
</FilesMatch>

Which is blocking access to requests on csv files (as well as some others then uploaded content, just to be sure). Is this the best way of doing this?

Originally created by @thomasdeurloo on GitHub (Nov 13, 2019). Original GitHub issue: https://github.com/HaschekSolutions/pictshare/issues/103 Hi, The folder "data" contains the sha1.csv which is containing the hashes. My folder is also containing a file called "uploads.csv" containing the logged uploads.. (I assume that the presence of this file is dependend on the parameter to log uploads). The csv files are publicly accessible to everyone. So if one knows that this system is used, he can request a full overview of the sha1 hashes, and in case of the logged uploads also the ipadresses. To prevent this i created an .htacces file in the data folder containing ``` <FilesMatch "\.(php|pl|py|jsp|exe|flv|csv|asp|htm|shtml|sh|cgi)$"> Deny from All </FilesMatch> ``` Which is blocking access to requests on csv files (as well as some others then uploaded content, just to be sure). Is this the best way of doing this?
kerem closed this issue 2026-02-25 23:40:36 +03:00
kerem commented 2026-02-25 23:40:36 +03:00
Author
Owner
Copy link

@geek-at commented on GitHub (Nov 13, 2019):

Thanks, will add it to the nginx config

In the install example I use this as the default:

location ~ /(data|tmp|bin|content-controllers|inc|interfaces|storage-controllers|templates|tools) {
deny all;
return 404;
}

<!-- gh-comment-id:553406157 --> @geek-at commented on GitHub (Nov 13, 2019): Thanks, will add it to the nginx config In the install example I use this as the default: location ~ /(data|tmp|bin|content-controllers|inc|interfaces|storage-controllers|templates|tools) { deny all; return 404; }
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/composer/src/lib/phpunit/phpunit-12.5.22
v3
v2
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.0.3
v2.0.2
v2.0.1
v2.0.0
1.5
v1.1
1.0
Labels
Clear labels   
Feature request

   
Feature request

   
bug

   
cant reproduce

   
enhancement

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
wontfix
No labels
Feature request
Feature request
bug
cant reproduce
enhancement
help wanted
pull-request
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/pictshare#78
No description provided.