[GH-ISSUE #578] [Security] Thumbnails of private bookmarks are accessible without authentication #308

New issue

Closed

opened 2026-02-25 23:33:55 +03:00 by kerem · 1 comment

kerem commented

2026-02-25 23:33:55 +03:00

Owner

Originally created by @andrigamerita on GitHub (Feb 13, 2023).
Original GitHub issue: https://github.com/go-shiori/shiori/issues/578

Data

Shiori version: v1.5.4 (latest release)
Database Engine: SQLite
Operating system: Raspbian GNU/Linux 11 (bullseye), Linux raspberrypi 5.15.84-v7+ #1613 SMP Thu Jan 5 11:59:48 GMT 2023 armv7l GNU/Linux
CLI/Web interface/Web Extension: Web server (affects the server itself, not the web UI)

Describe the bug / actual behavior

If the /bookmark/{ID}/thumb HTTP endpoint of a Shiori instance running in serve mode is reached, where ID is the numeric id of an existing saved bookmark, the image file that is a thumbnail of the corresponding bookmark is returned, regardless of if the bookmark in question is private and the current HTTP request is not authenticated.

Expected behavior

If the above mentioned endpoint is reached, the software should return data of the thumbnail image file only if at least one of the following conditions are met, otherwise it should redirect to the login page exactly as it already correctly happens with the /bookmark/{ID}/content and /bookmark/{ID}/archive endpoints (ot, at the very least, deny access with an error):

The bookmark is marked as public in the database
The bookmark is marked as private in the database but the request is correctly authenticated

To Reproduce

Steps to reproduce the behavior:

Know the ID of a private bookmark (trivial due to IDs not being random)
Verify that, without having a logged-in session in an account that owns the bookmark, it is not readable from either the /bookmark/{ID}/content or /bookmark/{ID}/archive HTTP endpoints of a Shiori instance running in serve mode (which is correct behavior)
Try to access the /bookmark/{ID}/thumb still without having a valid session, and notice that the thumbnail file is accessible as if the article it belongs to wasn't private (which shouldn't happen)

Screenshots

Not applicable.

Curl demonstration

$ curl --output - https://PRIVATE/bookmark/2/archive/
<a href="/login?dst=%2Fbookmark%2F2%2Farchive%2F">Moved Permanently</a>.

$ curl --output - https://PRIVATE/bookmark/2/thumb
{Binary data of the image file}

Originally created by @andrigamerita on GitHub (Feb 13, 2023). Original GitHub issue: https://github.com/go-shiori/shiori/issues/578 ## Data - **Shiori version**: v1.5.4 (latest release) - **Database Engine**: SQLite - **Operating system**: `Raspbian GNU/Linux 11 (bullseye)`, `Linux raspberrypi 5.15.84-v7+ #1613 SMP Thu Jan 5 11:59:48 GMT 2023 armv7l GNU/Linux` - **CLI/Web interface/Web Extension**: Web server (affects the server itself, not the web UI) ## Describe the bug / actual behavior If the `/bookmark/{ID}/thumb` HTTP endpoint of a Shiori instance running in `serve` mode is reached, where ID is the numeric id of an existing saved bookmark, the image file that is a thumbnail of the corresponding bookmark is returned, **regardless of** if the bookmark in question is private **and** the current HTTP request is not authenticated. ## Expected behavior If the above mentioned endpoint is reached, the software should return data of the thumbnail image file **only if at least one** of the following conditions are met, otherwise it should redirect to the login page exactly as it already correctly happens with the `/bookmark/{ID}/content` and `/bookmark/{ID}/archive` endpoints (ot, at the very least, deny access with an error): - The bookmark is marked as public in the database - The bookmark is marked as private in the database **but** the request is correctly authenticated ## To Reproduce Steps to reproduce the behavior: 1. Know the ID of a private bookmark (trivial due to IDs not being random) 2. Verify that, without having a logged-in session in an account that owns the bookmark, it is not readable from either the `/bookmark/{ID}/content` or `/bookmark/{ID}/archive` HTTP endpoints of a Shiori instance running in `serve` mode (which is **correct behavior**) 3. Try to access the `/bookmark/{ID}/thumb` still without having a valid session, and notice that the thumbnail file is accessible as if the article it belongs to wasn't private (which **shouldn't happen**) ## Screenshots Not applicable. ## Curl demonstration ```txt $ curl --output - https://PRIVATE/bookmark/2/archive/ <a href="/login?dst=%2Fbookmark%2F2%2Farchive%2F">Moved Permanently</a>. $ curl --output - https://PRIVATE/bookmark/2/thumb {Binary data of the image file} ```